Scribd Logo
Upload

Welcome to Scribd!

  • PAN EDU 210 80b Captive Portal Lab Guide

    Uploaded by

    jog
    116 views11 pages
    PAN EDU 210 80b Captive Portal Lab Guide

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PAN EDU 210 80b Captive Portal Lab Guide

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    116 views11 pages

    PAN EDU 210 80b Captive Portal Lab Guide

    Uploaded by

    jog
    PAN EDU 210 80b Captive Portal Lab Guide

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Lab Scenario: Authentication Portal (aka: Captive Portal)

    In this lab, you will:


     Configure Captive Portal

    Scenario

    Configure the environment to use Authentication Portal.

    ©2016, Palo Alto Networks, Inc. | 1


    <Internal Interface> : ethernet1/2

    Lab Solution: Advanced User-ID

    Prepare the Firewall for Authentication Portal

    Load Lab Configuration


    1. In the WebUI select Device > Setup > Operations.
    2. Click Load named configuration snapshot:

    3. Select edu-210-lab-09 and click OK.


    4. Click Close.

    5. all changes.

    6. From the firewall WebUI, select Network > Network Profiles > Interface Mgmt.
    7. Verify that the ping-response-pages profile has Response Pages selected.
    8. Select Network > Interfaces > Ethernet.
    9. Verify that <Internal Interface> is assigned the ping-response-pages profile.
    10. Select Network > Zones.
    11. Click Inside. The Zone window opens.
    12. Check the check box for Enable User Identification.
    13. Click OK.

    Configure LDAP Authentication Profile


    Create a Server Profile so that the firewall can pull group and user information from Active
    Directory.

    1. In the WebUI select Device > Server Profiles > LDAP.

    2. Click and configure the following:


    Parameter Value
    Profile Name lab-active-directory

    2 | ©2016, Palo Alto Networks, Inc.


    3. Locate the server list on the left side of the window and click .
    4. Configure the following:
    Parameter Value
    Name lab-client
    LDAP Server 192.168.1.20
    Port 389

    5. Locate Server Settings on the right side of the window and configure the following:
    Parameter Value
    Require SSL/TLS Deselect the check box
    secured connection
    (make sure to do this
    first)
    Type active-directory
    Base DN DC=lab,DC=local
    Bind DN lab-user-id@lab.local
    Password Pal0Alt0

    6. Click OK to close the LDAP Server Profile configuration window.

    9.3 Configure User-ID Group Mapping


    Define which users and groups will be available when creating policy rules.

    ©2016, Palo Alto Networks, Inc. | 3


    1. In the WebUI select Device > User Identification > Group Mapping Settings.

    2. Click to open the Group Mapping configuration window.


    3. Configure the following on the WMI Authentication tab:
    Parameter Value
    Name lab-group-mapping
    Server Profile lab-active-directory
    (all other fields will autopopulate)

    4. Click the Group Include List tab and configure the following:
    Parameter Value
    Search box lab users

    Click OK.
    14. Select Device > Authentication Profile.
    15. Select Add. The Authentication Profile window opens.

    Name PAN-LDAP

    Authentication tab

    Type LDAP

    4 | ©2016, Palo Alto Networks, Inc.


    Server Profile Lab-active-directory

    User Domain <Domain>

    Advanced tab

    Add usergroup all

    Click Advanced Tab.

    ©2016, Palo Alto Networks, Inc. | 5


    Click OK

    Configure Authentication Portal


    16. Select Device > User Identification.
    17. Select the Captive Portal Settings tab.
    18. Click the round button in the upper right corner of the Authentication Portal panel to
    configure a new Authentication Portal.

    Enable AuthenticationPortal Verify that the check box is checked

    Authentication Profile Select PAN-LDAP

    Mode Select Redirect

    Redirect Host Enter 192.168.1.1

    6 | ©2016, Palo Alto Networks, Inc.


    19. Click OK to close the Authentication Portal Configuration window.
    20. Select Policies > Authentication Portal.
    21. Click Add and create a new Authentication Portal Policy:

    General tab

    Name Enter CP-Policy

    Source tab

    Source Zone Click Add and select Inside

    Destination tab

    Destination Zone Click Add and select Outside

    ©2016, Palo Alto Networks, Inc. | 7


    Service/URL Category tab

    Service Verify that service-http is listed

    Actions tab

    Actions Select web-form

    22. Click OK to close the Authentication Portal Policy Configuration window.

    23. Commit all changes. Ignore any warnings.

    Test Authentication Portal


    24. From the desktop, open a new browser and test connectivity to
    http://www.panedufiles.com or any other site that is allowed by the current
    Security Policy Rules.
    25. If a certificate error appears, click through it.
    26. You are prompted for a username and password by Authentication Portal. If the
    prompt does not appear, the user may already be known. Try using these CLI
    commands:
     show user ip-user-mapping all
     clear user-cache-mp all
     clear user-cache all
    27. Enter your lab-user (without the domain name) and Pal0Alt0. You are
    authenticated and permitted into the site.
    28. Click some links and open some other pages to generate some web traffic.
    29. Use PuTTY to connect to your firewall over SSH at 192.168.1.254
    30. Verify that your identity was recorded by Authentication Portal with this command:
    show user ip-user-mapping all

    8 | ©2016, Palo Alto Networks, Inc.


    31. Log out of PuTTY.
    32. From the WebUI, select Monitor > Logs > Traffic.
    33. If the Source User column is not displayed, hover your mouse over any column title
    and then click the downward arrow to the right of any column to display the list of
    possible columns. Check the check box next to Source User. The Source User
    column is displayed.
    34. Note that the source user is identified for the Web-browsing traffic generated from
    your desktop.
    35. Select Policies > Authentication Portal and disable the CP-Policy-1
    Authentication Portal Policy.
    36. Commit the changes.

    ©2016, Palo Alto Networks, Inc. | 9


    10 | ©2016, Palo Alto Networks, Inc.
    ©2016, Palo Alto Networks, Inc. | 11

    You might also like