Captive portal is a feature on PAN firewall which can be usde for user identification. We can have user to IP mapping for the machines which are not part of a domain for example mobile phone, personal laptop, Guest user machine.
When a user will try to access http, https sites he will get prompt for captive portal authentication page. Once user will give username and password he will be allowed to access internet and firewall can enforce security policy based on username, Traffic log will have username mentioned.
Note: Captive portal will be prompted for the users whose user-to-ip mapping is not there on the firewall if user to ip mapping is already present firewall will not prompt for captive portal.
Use following command to check if user to ip mapping is there or not:
show user ip-user-mapping all
Configuration is as follows:
Create a authentication profile. This authentication profile will be used to authenticate the users against either to a local database, LDAP,RADIUS, TACACS+, Kerberos. In this example I am using local database and allowing all user who are in local database to authenticate.
Go to Device> Authentication profile
2> Configure captive portal settings:
Go to Device>User Identification> Captive Portal
Select the configured authentication profile. Make sure the captive portal is enabled.
3> Enable user-identification on Source Zone: Find out the zone on which user is sitting and enable user identification on zone.
4> Captive portal policy: Configure captive portal policy to specify which traffic needs captive portal. For example any traffic coming from trust zone/ particular subnet prompt for captive portal.
Test if captive portal works:
Open a browser in test system. Try to open a website which falls under the category specified in captive portal rule. In above example We have to open a website which falls under shopping category.
To check to which category a website belongs to use following CLI command:
test url www.flipkart.com
When you will hit http://www.flipkart.com in web browser the URL will get changed to http://www.flipkart.com:6081/php/ and you will get certificate warning after clicking advance you will get captive portal authentication page. To avoid certificate warning you should use captive portal in Redirect mode.