topic Re: Prevent bypassing captive portal? in Next-Generation Firewall Discussions

Prevent bypassing captive portal?

OGMaverick — Tue, 26 Nov 2024 22:14:44 GMT

We are in an environment where we have captive portal (with MS SSO) but users are able to get around the authentication redirects via VPN.

We'd like to ensure that the only traffic that is allowed by unauthenticated users on this network is traffic that is redirected to captive portal and cannot be bypassed.

Would we just be looking at placing 2 rules higher up

1 - Desired network + unknown user + web-browsing = allowed

2 - Desired network + unknown user + all = block

Re: Prevent bypassing captive portal?

OtakarKlier — Wed, 27 Nov 2024 18:14:26 GMT

Hello,

Not sure on the answer, however the captive portal is used for User-ID to IP mapping. If the PAN already knows the mapping, it will not prompt the user for a captive portal.

I used to have an environment where I used USER-ID on all my policies, and if the users didnt have a mapping, they got a very restrictive URL filtering policy applied to them. This was done by security policies however.

Hope this helps.

Re: Prevent bypassing captive portal?

OGMaverick — Wed, 27 Nov 2024 18:22:28 GMT

Thanks, I do know that and it's only being applied to unknown users. They do currently hit a restrictive URL policy as well when unknown, but this does not stop them from being able to bypass captive portal as that only applies to HTTP(S). Going to give the 2 rules a try to ensure only HTTP is allowed until the user is known, which should be enough to ensure only captive portal can trigger without other traffic.

Re: Prevent bypassing captive portal?

OtakarKlier — Wed, 27 Nov 2024 19:16:26 GMT

Hello,

You could put in another policy that blocks traffic not related to http(s) and DNS since its required for those unknown users.

Just a thought.