Adding user interactive UID webportal for paloalto firewalls

Just adding authentication user identification functionallity on selfhosted webportal based on local active directory

BY NO MEANS SECURE, no input is sanitized…

ref: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/

First thing that is needed. php-ldap. I noticed it was not supported by php7, so i change php version to 8.x.

# a2dismod php7.x.x

# a2enmod php8.x.x


# apt install php-ldap

#service apache2 restart

then created a local website in my apache folder


Then create an auth file:

The syslogip points to the syslog recieving interface of paloalto

domain points to the domain name

replace: ad.placebodome.local with your ADs FQDN.

The php-ldap function then tries to bind to the domain using the userprovided username and password. If binding fails the user is not authenticated.

If the binding is successfull a logger command is run to send a syslog message to the Paloalto firewall with username of user and the ipaddress for the requester/user.

As the previouse example: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/ using the syslog parser:

Voila, the user is populated in the same way as the original

Alternative to captive webportal Palo Alto

The idiotic way to implement user identification when everything else fails.

You need:

GPO to push automaticly run powershell

A webserver, for example Apache

A syslog forwarder, for example rsyslog

And setup the Paloalto firewall as a User ID agent with syslog listener.

Plain and simple. Absolutely not secure, but until I bother with integrating user certificates as authentication for the requests this will do.

Powershell which runs every hour or minute on the clients

The webserver, a simple apache server hosted on an ubuntu box without any content

Install rsyslog if not installed

put the following in /etc/rsyslog.d/02-apache2.conf

Validate the config:

systemctl restart rsyslogd

On the paloalto, enable user-id syslog on the interface and lock the permitted address to the webserver sending the syslogs

add the uid profile to the interface:

Add the following syslog parser:

Setup the server monitor:

and the syslog parser profile.

And you’re good to go. Not secure, but it works as a simple solution

Trip to Bølgekraftverket

Took a sponatious trip to Bølgekraftverket located in Toft, Rong. https://www.google.com/maps/place/B%C3%B8lgekraftverket/@60.4699557,4.9247579,15z/data=!4m2!3m1!1s0x0:0x9092354b5b6cc1c0?sa=X&ved=2ahUKEwiG3YrHms_xAhXql4sKHTVsDIYQ_BIwGHoECEAQBQ

Took a few photos. Fun to take photos again.