This Captive Portal configuration assumes:

1. The PaloAlto Networks device has been setup with at least two security zones (in this example, the two zones are 'Internal' and 'Sandbox', the latter being the protected resource), and that a security policy has been created between the two zones.
2. The GridGuard Server (virtual appliance) has been setup and configured with a working RADIUS realm (as defined in the previous chapter)
3. CORS has been enabled for the PaloAlto<->GridGuard server JavaScript communication.

In order to allow the user to login to the Captive Portal, the user-facing interface must be configured to allow certain protocols and options.  This will be found under Network -> Network Profiles -> Interface Mgmt.

1. Make sure that at a minimum HTTP is checked
2. Response Pages MUST be checked in order to render the Captive Portal to the user
3. User-ID must also be checked in order to allow proper User-ID mappings.

1. On the Device -> User Identification Page -> Captive Portal Settings page, enable Captive Portal
2. Set the Authentication Profile to the same as in Radius Setup, in this case, 'GridRadius'
3. Select 'Redirect' as the mode.
4. Make sure to set the Redirect Host to the IP Address of the user-accessible interface of the PaloAlto device

1. Commit and Save all changes