{"id":416,"date":"2022-05-13T16:34:27","date_gmt":"2022-05-13T14:34:27","guid":{"rendered":"http:\/\/wp.12p.no\/?p=416"},"modified":"2022-05-13T16:34:27","modified_gmt":"2022-05-13T14:34:27","slug":"alternative-to-captive-webportal","status":"publish","type":"post","link":"https:\/\/12p.no\/wp\/?p=416","title":{"rendered":"Alternative to captive webportal Palo Alto"},"content":{"rendered":"\n<p><strong>The idiotic way to implement user identification when everything else fails.<\/strong><\/p>\n\n\n\n<p>You need:<\/p>\n\n\n\n<p>GPO to push automaticly run powershell<\/p>\n\n\n\n<p>A webserver, for example Apache<\/p>\n\n\n\n<p>A syslog forwarder, for example rsyslog<\/p>\n\n\n\n<p>And setup the Paloalto firewall as a User ID  agent with syslog listener. <\/p>\n\n\n\n<p>Plain and simple. Absolutely not secure, but until I bother with integrating user certificates as authentication for the requests this will do.<\/p>\n\n\n\n<p>Powershell which runs every hour or minute on the clients<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-1024x244.png\" alt=\"\" class=\"wp-image-417\"\/><\/a><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>The webserver, a simple apache server hosted on an ubuntu box without any content<\/p><cite><br>Install rsyslog if not installed<\/cite><\/blockquote>\n\n\n\n<p>put the following in \/etc\/rsyslog.d\/02-apache2.conf<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-1.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-1.png\" alt=\"\" class=\"wp-image-418\"\/><\/a><\/figure>\n\n\n\n<p>Validate the config:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-8.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-8.png\" alt=\"\" class=\"wp-image-426\"\/><\/a><\/figure>\n\n\n\n<p>systemctl restart rsyslogd<\/p>\n\n\n\n<p>On the paloalto, enable user-id syslog on the interface and lock the permitted address to the webserver sending the syslogs<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-3.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-3-1024x127.png\" alt=\"\" class=\"wp-image-420\"\/><\/a><\/figure>\n\n\n\n<p>add the uid profile to the interface:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-4.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-4.png\" alt=\"\" class=\"wp-image-421\"\/><\/a><\/figure>\n\n\n\n<p>Add the following syslog parser:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-5.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-5.png\" alt=\"\" class=\"wp-image-422\"\/><\/a><\/figure>\n\n\n\n<p>Setup the server monitor:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-6.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-6.png\" alt=\"\" class=\"wp-image-423\"\/><\/a><\/figure>\n\n\n\n<p>and the syslog parser profile.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-2.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-2.png\" alt=\"\" class=\"wp-image-419\"\/><\/a><\/figure>\n\n\n\n<p>And you&#8217;re good to go. Not secure, but it works as a simple solution<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-7.png\"><img decoding=\"async\" src=\"https:\/\/wp.12p.no\/wp-content\/uploads\/2022\/05\/image-7.png\" alt=\"\" class=\"wp-image-424\"\/><\/a><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The idiotic way to implement user identification when everything else fails. You need: GPO to push automaticly run powershell A webserver, for example Apache A syslog forwarder, for example rsyslog And setup the Paloalto firewall as a User ID agent with syslog listener. Plain and simple. Absolutely not secure, but until I bother with integrating [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-416","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=416"}],"version-history":[{"count":0,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/416\/revisions"}],"wp:attachment":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}