12p.no blog

Adding user interactive UID webportal for paloalto firewalls

Just adding authentication user identification functionallity on selfhosted webportal based on local active directory

BY NO MEANS SECURE, no input is sanitized…

ref: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/

First thing that is needed. php-ldap. I noticed it was not supported by php7, so i change php version to 8.x.

# a2dismod php7.x.x

# a2enmod php8.x.x

then

# apt install php-ldap

#service apache2 restart

then created a local website in my apache folder

index.php:

Then create an auth file:

The syslogip points to the syslog recieving interface of paloalto

domain points to the domain name

replace: ad.placebodome.local with your ADs FQDN.

The php-ldap function then tries to bind to the domain using the userprovided username and password. If binding fails the user is not authenticated.

If the binding is successfull a logger command is run to send a syslog message to the Paloalto firewall with username of user and the ipaddress for the requester/user.

As the previouse example: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/ using the syslog parser:

Voila, the user is populated in the same way as the original

raymond

Leave a Reply

Your email address will not be published. Required fields are marked *