Prerequisites and Assumptions
This Captive Portal configuration assumes:
- The PaloAlto device has been setup with at least two security zones (in this example, the two zones are 'Internal' and 'Sandbox', the latter being the protected resource), and that a security policy has been created between the two zones.
- The GridGuard server (virtual appliance) has been setup and configured with a working RADIUS realm (as defined in the previous chapter)
Interface Management Setup
In order to allow the user to login to the Captive Portal, the user-facing interface must be configured to allow certain protocols and options. This will be found under Network -> Network Profiles -> Interface Mgmt.
- Make sure that at a minimum HTTP is checked.
- Response Pages MUST be checked in order to render the Captive Portal to the user.
- User-ID must also be checked in order to allow proper User-ID mappings.
Captive Portal Settings
- On the Device -> User Identification Page -> Captive Portal Settings page, enable Captive Portal
- Set the Authentication Profile to the same as in Radius Setup, in this case, 'GridRadius'
- Select 'Redirect' as the mode.
- Make sure to set the Redirect Host to the IP Address of the user-accessible interface of the PaloAlto device