{"id":125,"date":"2022-04-25T07:32:34","date_gmt":"2022-04-25T11:32:34","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=125"},"modified":"2026-02-19T15:32:11","modified_gmt":"2026-02-19T20:32:11","slug":"captive-portal","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/captive-portal\/","title":{"raw":"3.1 Captive Portal","rendered":"3.1 Captive Portal"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Configure VLANs<\/li>\r\n \t
  • Configure captive portal<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    \r\n\r\nPrerequisites<\/strong>:\r\n
      \r\n \t
    • Setup Zones<\/li>\r\n \t
    • Some interface configuration<\/li>\r\n \t
    • Configuring VLANs on the GNS3 switch<\/li>\r\n \t
    • Knowledge of previous labs<\/li>\r\n<\/ul>\r\n<\/div>\r\n
      \r\n\r\nScenario<\/strong>: Now let's push for some advanced networking configurations. Sometimes you just have to push departments into their own VLANs for organization and compliance. Say we have a guest and employee network. We want to prevent communication between the two as much as possible. We would also want to implement some sort of login to access the internet for guests, much like hotels.\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_252\" align=\"aligncenter\" width=\"1073\"]\"Main Figure 3.1: Main scenario[\/caption]\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.1: Addressing Table<\/caption>\r\n
      Device<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
      PaloAlto-1<\/td>\r\nmanagement: 192.168.0.1\/24\r\nEthernet1\/1: Trunking\r\nEthernet1\/1.10: 10.10.10.1\/24\r\nEthernet1\/1.20: 20.20.20.1\/24\r\nEthernet1\/2: DHCP<\/td>\r\n<\/tr>\r\n
      VLAN-10<\/td>\r\neth0: 10.10.10.10\/24 GW: 10.10.10.1 DNS: 8.8.8.8<\/td>\r\n<\/tr>\r\n
      VLAN-20<\/td>\r\neth0: 20.20.20.20\/24 GW: 20.20.20.1 DNS: 8.8.8.8<\/td>\r\n<\/tr>\r\n
      Management<\/td>\r\neth0: 192.168.0.2\/24<\/td>\r\n<\/tr>\r\n
      Switchy<\/td>\r\ne0: Access mode, VLAN 10\r\ne1: Access mode, VLAN 20\r\ne7: dot1q, VLAN 1<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.2: Zone Configuration<\/caption>\r\n
      Zone<\/th>\r\nInterface<\/th>\r\n<\/tr>\r\n
      VLAN10<\/td>\r\nEthernet1\/1.10<\/td>\r\n<\/tr>\r\n
      VLAN20<\/td>\r\nEthernet1\/1.20<\/td>\r\n<\/tr>\r\n
      Outside<\/td>\r\nEthernet1\/2<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

      Configure Sub Interfaces<\/h2>\r\nUnder Network > Interfaces<\/strong>. Click on ethernet1\/1.<\/strong>\r\n\r\n[caption id=\"attachment_407\" align=\"aligncenter\" width=\"1026\"]\"Ethernet Figure 3.2: Ethernet 1\/1 configuration[\/caption]\r\n\r\nIn this window, we just want to set the interface type to layer 3<\/strong>.\r\n\r\n[caption id=\"attachment_408\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 3.3: Set Interface type to Layer3[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n\r\nNow while ethernet1\/1<\/strong> is still selected, click on add sub interface.\r\n\r\n[caption id=\"attachment_409\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.4: Add Sub interfaces[\/caption]\r\n\r\nWe want to add 2 sub-interfaces. Here is what you should configure:\r\n\r\n\r\n\r\n\r\n
      Table 3.3: Sub Interface Configuration<\/caption>\r\n
      Interface<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
      Ethernet1\/1.10<\/td>\r\nInterface Name: 10<\/span>\r\nTag: 10<\/span>\r\nConfig tab:<\/strong><\/span>\r\n- Virtual Router: default\r\n<\/em>- Security Zone: VLAN10\r\n<\/em>IPv4:<\/strong>\r\n<\/em>- Type: Static\r\n- IP: 10.10.10.1\/24<\/em><\/span><\/td>\r\n<\/tr>\r\n
      Ethernet1\/1.20<\/span><\/td>\r\nInterface Name: 20<\/span>\r\nTag: 20<\/span>\r\nConfig tab:<\/strong><\/span>\r\n- Virtual Router: default\r\n<\/em>- Security Zone: VLAN20\r\n<\/em>IPv4:<\/strong>\r\n<\/em>- Type: Static\r\n- IP: 20.20.20.1\/24<\/em><\/span><\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_410\" align=\"aligncenter\" width=\"550\"]\"Verify Figure 3.5: Verify Sub interfaces[\/caption]\r\n

      Semi-Advanced Security Policies<\/h2>\r\nWell, it's not really advanced, but under Policies > Security<\/strong>, click Add<\/strong>.\r\n\r\n[caption id=\"attachment_411\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.6: Add a Security Policy[\/caption]\r\n\r\nWe will be making a policy to allow VLAN10<\/strong> and VLAN20<\/strong> into the Outside zone. We can do this by adding multiple zones under the source zone.\r\n\r\n[caption id=\"attachment_412\" align=\"aligncenter\" width=\"1026\"]\"Security Figure 3.7: Security Policy Rule - Source Zone[\/caption]\r\n\r\nThen click OK<\/strong>.\r\n

      Semi-Advanced NAT Policies<\/h2>\r\nStill not really advanced. But under Policies > NAT<\/strong>, click Add<\/strong>.\r\n\r\n[caption id=\"attachment_623\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.8: Add a NAT Policy[\/caption]\r\n\r\nWe want to make a Static NAT policy for the Internet connectivity. But under the Original Packet tab, we can select multiple zones.\r\n\r\n[caption id=\"attachment_413\" align=\"aligncenter\" width=\"1026\"]\"Select Figure 3.9: Select the Source Zone[\/caption]\r\n\r\nConfigure the rest for static NAT, then press OK<\/strong>.\r\n\r\n[caption id=\"attachment_624\" align=\"aligncenter\" width=\"1026\"]\"SNAT Figure 3.10: SNAT Translated Packet Tab[\/caption]\r\n

      Add a User<\/h2>\r\nUnder Device > Local User Database > Users<\/strong>. Click Add<\/strong>.\r\n\r\n[caption id=\"attachment_414\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.11: Add Users[\/caption]\r\n\r\nCreate any user you want with a username and password. Here is an example:\r\n\r\n[caption id=\"attachment_262\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.12: Add a user xav[\/caption]\r\n\r\nThen click OK<\/strong>.\r\n

      Create an Authentication Profile<\/h2>\r\nUnder Device > Authentication Profile<\/strong>, click Add<\/strong>.\r\n\r\n[caption id=\"attachment_415\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.13: Add an Authentication Profile[\/caption]\r\n\r\nUnder the Authentication tab, change the type to Local Database.\r\n\r\n[caption id=\"attachment_416\" align=\"aligncenter\" width=\"1026\"]\"Select Figure 3.14: Select Local Database[\/caption]\r\n\r\nUnder the Advanced tab, add your user.\r\n\r\n[caption id=\"attachment_265\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.15: Add user xav as Allow List[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n

      Configure the Captive Portal<\/h2>\r\nUnder Device, User Identification in the Authentication Portal Settings tab, click the settings icon.\r\n\r\n[caption id=\"attachment_417\" align=\"aligncenter\" width=\"1026\"]\"Authentication Figure 3.16: Authentication Portal Settings[\/caption]\r\n\r\nConfigure these settings:\r\n\r\n\r\n\r\n\r\n\r\n
      Table 3.4: Authentication Portal Configuration<\/caption>\r\n
      Parameter<\/th>\r\nValue<\/th>\r\n<\/tr>\r\n
      Enable Authentication Portal<\/td>\r\nTick this box<\/em><\/td>\r\n<\/tr>\r\n
      Authentication Profile<\/td>\r\nSelect the one you created<\/em><\/td>\r\n<\/tr>\r\n
      Mode<\/td>\r\nTransparent<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n[caption id=\"attachment_267\" align=\"aligncenter\" width=\"1026\"]\"Authentication Figure 3.17: Authentication Portal Settings - Select Transparent[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n\r\nUnder Network > Zones<\/strong>, click on the VLAN10 zone.\r\n\r\n[caption id=\"attachment_418\" align=\"aligncenter\" width=\"1026\"]\"Select Figure 3.18: Select Vlan 10[\/caption]\r\n\r\nIn this window, we just want to tick the Enable User Identification<\/strong> checkbox.\r\n\r\n[caption id=\"attachment_419\" align=\"aligncenter\" width=\"1026\"]\"Enable Figure 3.19: Enable User Identification[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n\r\nFinally, under Policies > Authentication<\/strong>. Click Add<\/strong>.\r\n\r\n[caption id=\"attachment_420\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.20: Add an authentication Policy[\/caption]\r\n\r\nUnder the Source tab, add VLAN 10<\/strong> in the source zone.\r\n\r\n[caption id=\"attachment_421\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.21: Add the Source Zone[\/caption]\r\n\r\nUnder the Destination tab, add Outside in Destination Zone<\/strong>.\r\n\r\n[caption id=\"attachment_422\" align=\"aligncenter\" width=\"1026\"]\"Add Figure 3.22: Add the Destination Zone[\/caption]\r\n\r\nUnder Actions, change the Authentication Enforcement setting, change it to default-web-form<\/strong>.\r\n\r\n[caption id=\"attachment_423\" align=\"aligncenter\" width=\"1026\"]\"Select Figure 3.23: Select default-web-form[\/caption]\r\n\r\nThen press OK<\/strong>.\r\n

      Test VLANs and Captive Portal<\/h2>\r\nOn the VLAN-20 webterm, navigate to any website. If all was right, the desired website should appear.\r\n\r\n[caption id=\"attachment_274\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 3.24: Verify your configuration[\/caption]\r\n\r\nOn the VLAN-10 webterm, navigate to any website. If all was right, you should see a certificate error, accept this. Then you should see a login page.\r\n\r\n[caption id=\"attachment_275\" align=\"aligncenter\" width=\"1026\"]\"Login Figure 3.25: Login Page[\/caption]\r\n\r\nEnter your credentials and log in. If all was successful, you should see the website appear.\r\n\r\n[caption id=\"attachment_276\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 3.26: Verify your configuration[\/caption]","rendered":"
      \n
      \n

      Learning Objectives<\/p>\n<\/header>\n

      \n
        \n
      • Configure VLANs<\/li>\n
      • Configure captive portal<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
        \n

        Prerequisites<\/strong>:<\/p>\n

          \n
        • Setup Zones<\/li>\n
        • Some interface configuration<\/li>\n
        • Configuring VLANs on the GNS3 switch<\/li>\n
        • Knowledge of previous labs<\/li>\n<\/ul>\n<\/div>\n
          \n

          Scenario<\/strong>: Now let’s push for some advanced networking configurations. Sometimes you just have to push departments into their own VLANs for organization and compliance. Say we have a guest and employee network. We want to prevent communication between the two as much as possible. We would also want to implement some sort of login to access the internet for guests, much like hotels.<\/p>\n<\/div>\n

          \"Main
          Figure 3.1: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n\n\n
          Table 3.1: Addressing Table<\/caption>\n
          Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
          PaloAlto-1<\/td>\nmanagement: 192.168.0.1\/24
          \nEthernet1\/1: Trunking
          \nEthernet1\/1.10: 10.10.10.1\/24
          \nEthernet1\/1.20: 20.20.20.1\/24
          \nEthernet1\/2: DHCP<\/td>\n<\/tr>\n
          VLAN-10<\/td>\neth0: 10.10.10.10\/24 GW: 10.10.10.1 DNS: 8.8.8.8<\/td>\n<\/tr>\n
          VLAN-20<\/td>\neth0: 20.20.20.20\/24 GW: 20.20.20.1 DNS: 8.8.8.8<\/td>\n<\/tr>\n
          Management<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n
          Switchy<\/td>\ne0: Access mode, VLAN 10
          \ne1: Access mode, VLAN 20
          \ne7: dot1q, VLAN 1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n\n
          Table 3.2: Zone Configuration<\/caption>\n
          Zone<\/th>\nInterface<\/th>\n<\/tr>\n
          VLAN10<\/td>\nEthernet1\/1.10<\/td>\n<\/tr>\n
          VLAN20<\/td>\nEthernet1\/1.20<\/td>\n<\/tr>\n
          Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

          Configure Sub Interfaces<\/h2>\n

          Under Network > Interfaces<\/strong>. Click on ethernet1\/1.<\/strong><\/p>\n

          \"Ethernet
          Figure 3.2: Ethernet 1\/1 configuration<\/figcaption><\/figure>\n

          In this window, we just want to set the interface type to layer 3<\/strong>.<\/p>\n

          \"Set
          Figure 3.3: Set Interface type to Layer3<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Now while ethernet1\/1<\/strong> is still selected, click on add sub interface.<\/p>\n

          \"Add
          Figure 3.4: Add Sub interfaces<\/figcaption><\/figure>\n

          We want to add 2 sub-interfaces. Here is what you should configure:<\/p>\n\n\n\n\n\n
          Table 3.3: Sub Interface Configuration<\/caption>\n
          Interface<\/th>\nConfiguration<\/th>\n<\/tr>\n
          Ethernet1\/1.10<\/td>\nInterface Name: 10<\/span>
          \nTag: 10<\/span>
          \nConfig tab:<\/strong><\/span>
          \n– Virtual Router: default
          \n<\/em>– Security Zone: VLAN10
          \n<\/em>IPv4:<\/strong>
          \n<\/em>– Type: Static
          \n– IP: 10.10.10.1\/24<\/em><\/span><\/td>\n<\/tr>\n
          Ethernet1\/1.20<\/span><\/td>\nInterface Name: 20<\/span>
          \nTag: 20<\/span>
          \nConfig tab:<\/strong><\/span>
          \n– Virtual Router: default
          \n<\/em>– Security Zone: VLAN20
          \n<\/em>IPv4:<\/strong>
          \n<\/em>– Type: Static
          \n– IP: 20.20.20.1\/24<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Verify
          Figure 3.5: Verify Sub interfaces<\/figcaption><\/figure>\n

          Semi-Advanced Security Policies<\/h2>\n

          Well, it’s not really advanced, but under Policies > Security<\/strong>, click Add<\/strong>.<\/p>\n

          \"Add
          Figure 3.6: Add a Security Policy<\/figcaption><\/figure>\n

          We will be making a policy to allow VLAN10<\/strong> and VLAN20<\/strong> into the Outside zone. We can do this by adding multiple zones under the source zone.<\/p>\n

          \"Security
          Figure 3.7: Security Policy Rule – Source Zone<\/figcaption><\/figure>\n

          Then click OK<\/strong>.<\/p>\n

          Semi-Advanced NAT Policies<\/h2>\n

          Still not really advanced. But under Policies > NAT<\/strong>, click Add<\/strong>.<\/p>\n

          \"Add
          Figure 3.8: Add a NAT Policy<\/figcaption><\/figure>\n

          We want to make a Static NAT policy for the Internet connectivity. But under the Original Packet tab, we can select multiple zones.<\/p>\n

          \"Select
          Figure 3.9: Select the Source Zone<\/figcaption><\/figure>\n

          Configure the rest for static NAT, then press OK<\/strong>.<\/p>\n

          \"SNAT
          Figure 3.10: SNAT Translated Packet Tab<\/figcaption><\/figure>\n

          Add a User<\/h2>\n

          Under Device > Local User Database > Users<\/strong>. Click Add<\/strong>.<\/p>\n

          \"Add
          Figure 3.11: Add Users<\/figcaption><\/figure>\n

          Create any user you want with a username and password. Here is an example:<\/p>\n

          \"Add
          Figure 3.12: Add a user xav<\/figcaption><\/figure>\n

          Then click OK<\/strong>.<\/p>\n

          Create an Authentication Profile<\/h2>\n

          Under Device > Authentication Profile<\/strong>, click Add<\/strong>.<\/p>\n

          \"Add
          Figure 3.13: Add an Authentication Profile<\/figcaption><\/figure>\n

          Under the Authentication tab, change the type to Local Database.<\/p>\n

          \"Select
          Figure 3.14: Select Local Database<\/figcaption><\/figure>\n

          Under the Advanced tab, add your user.<\/p>\n

          \"Add
          Figure 3.15: Add user xav as Allow List<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Configure the Captive Portal<\/h2>\n

          Under Device, User Identification in the Authentication Portal Settings tab, click the settings icon.<\/p>\n

          \"Authentication
          Figure 3.16: Authentication Portal Settings<\/figcaption><\/figure>\n

          Configure these settings:<\/p>\n\n\n\n\n\n\n
          Table 3.4: Authentication Portal Configuration<\/caption>\n
          Parameter<\/th>\nValue<\/th>\n<\/tr>\n
          Enable Authentication Portal<\/td>\nTick this box<\/em><\/td>\n<\/tr>\n
          Authentication Profile<\/td>\nSelect the one you created<\/em><\/td>\n<\/tr>\n
          Mode<\/td>\nTransparent<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          \"Authentication
          Figure 3.17: Authentication Portal Settings – Select Transparent<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Under Network > Zones<\/strong>, click on the VLAN10 zone.<\/p>\n

          \"Select
          Figure 3.18: Select Vlan 10<\/figcaption><\/figure>\n

          In this window, we just want to tick the Enable User Identification<\/strong> checkbox.<\/p>\n

          \"Enable
          Figure 3.19: Enable User Identification<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Finally, under Policies > Authentication<\/strong>. Click Add<\/strong>.<\/p>\n

          \"Add
          Figure 3.20: Add an authentication Policy<\/figcaption><\/figure>\n

          Under the Source tab, add VLAN 10<\/strong> in the source zone.<\/p>\n

          \"Add
          Figure 3.21: Add the Source Zone<\/figcaption><\/figure>\n

          Under the Destination tab, add Outside in Destination Zone<\/strong>.<\/p>\n

          \"Add
          Figure 3.22: Add the Destination Zone<\/figcaption><\/figure>\n

          Under Actions, change the Authentication Enforcement setting, change it to default-web-form<\/strong>.<\/p>\n

          \"Select
          Figure 3.23: Select default-web-form<\/figcaption><\/figure>\n

          Then press OK<\/strong>.<\/p>\n

          Test VLANs and Captive Portal<\/h2>\n

          On the VLAN-20 webterm, navigate to any website. If all was right, the desired website should appear.<\/p>\n

          \"Verify
          Figure 3.24: Verify your configuration<\/figcaption><\/figure>\n

          On the VLAN-10 webterm, navigate to any website. If all was right, you should see a certificate error, accept this. Then you should see a login page.<\/p>\n

          \"Login
          Figure 3.25: Login Page<\/figcaption><\/figure>\n

          Enter your credentials and log in. If all was successful, you should see the website appear.<\/p>\n

          \"Verify
          Figure 3.26: Verify your configuration<\/figcaption><\/figure>\n","protected":false},"author":1572,"menu_order":1,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-125","chapter","type-chapter","status-publish","hentry"],"part":123,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1572"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/125\/revisions"}],"predecessor-version":[{"id":1223,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/125\/revisions\/1223"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/123"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/125\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=125"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=125"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}