Controllerless Networks

Reply
Occasional Contributor I

Instant and Palo Alto Captive Portal

G'day everyone,

 

I'm having a few issues with a wireless deployment, basically have a Palo Alto Firewall, Aruba IAP-215's and I've configured multiple SSID's. One of the SSID's uses 802.1x authentication for staff to access using their domain credentials.

 

Every user that authenticates with 802.1x on that SSID is then further presented the palo alto captive portal page to again sign in with their user credentials.

 

Now I've been reading a bit about the Network Integration capability with PANOS and the ability to pass user-id to the firewall. Documentation is a bit vague on whether this will resolve my issue as I simply want users to be able to authenticate once and have the credentials passed to the PAN therefore preventing them having to authenticate a second time.

 

Can anyone please lend some assistance or provide some documentation if this is possible?

Guru Elite

Re: Instant and Palo Alto Captive Portal

Have you already seen this documentation?  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/PAN Firewall Integration/PAN Firewall Integration.htm%3FTocPath%3DArubaOS%2520User%2520Guide%2520Topics%7CPAN%2520Firewall%2520Integration%7C_____0

 

http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Instant and Palo Alto Captive Portal

Hey Colin,

 

Thanks for your reply. This gives a lot of good info: http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf

 

Thanks for that.

 

I've now got it configured, however I'm seeing some errors in the logs.

 

Errors below:

 

Jan 25 13:49:18  awc[3596]: awc_init_connection: 2129: connecting to xxx.xxx.xxx.xxx:443
Jan 25 13:49:18 awc[3596]: tcp_connect: 167: recv timeout set to 5
Jan 25 13:49:18 awc[3596]: tcp_connect: 174: send timeout set to 5
Jan 25 13:49:18 awc[3596]: awc_init_connection: 2170: connected to xxx.xxx.xxx.xxx:443
Jan 25 13:49:18 awc[3596]: awc_init_connection: 2306: Connected
Jan 25 13:49:18 awc[3596]: Message over SSL from xxx.xxx.xxx.xxx, SSL_read() returned 640, errstr=Success, Message is "HTTP/1.1 200 OK^M Server: ^M Date: Wed, 25 Jan 2017 04:19:18 GMT^M Content-Type: application/xml; charset=UTF-8^M Content-Length: 123^M Connection: close^M ETag: "2474e-12b-57054661"^M Pragma: no-cache^M Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0^M Access-Control-Allow-Origin: ^M Expires: Thu, 19 Nov 1981 08:52:00 GMT^M X-FRAME-OPTIONS: SAMEORIGIN^M Status : 403 Type [user-id] not authorized for user role.^M Set-Cookie: PHPSESSID=5093a2c15d0f83e31efce9560ac932e9; path=/; secure; HttpOnly^M ^M <response status = 'error' code = '403'><result><msg>Type [user-id] not authorized for user role.</msg></result></response>", AWC response: (null)
Jan 25 13:49:18 awc[3596]: Message over SSL from xxx.xxx.xxx.xxx, SSL_read() returned 0, errstr=Success, Message is "", AWC response: HTTP/1.1 200 OK^M Server: ^M Date: Wed, 25 Jan 2017 04:19:18 GMT^M Content-Type: application/xml; charset=UTF-8^M Content-Length: 123^M Connection: close^M ETag: "2474e-12b-57054661"^M Pragma: no-cache^M Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0^M Access-Control-Allow-Origin: ^M Expires: Thu, 19 Nov 1981 08:52:00 GMT^M X-FRAME-OPTIONS: SAME ORIGIN^M Status: 403 Type [user-id] not authorized for user role.^M Set-Cookie: PHPSESSID=5093a2c15d0f83e31efce9560ac932e9; path=/; secure; HttpOnly^M ^M <response status = 'error' code = '403'><result><msg>Type [user-id] not authorized for user role.</msg></result></response>
Jan 25 13:49:18 awc[3596]: parse_awc_header: 864: ssl_read from xxx.xxx.xxx.xxx failure 0 error_count 1

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: