https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32383#M23732 <HTML><HEAD></HEAD><BODY><P>Hi Amjad,</P><P></P><P>OK as I said I haven't used the captive portal yet, but the point still remains, in fact that document you linked to shows the problem.</P><P></P><P>I can see that logs have been written before the user is resolved, so that's after the security policy has been processed.&nbsp; As the captive portal rules are run earlier than that, it is even more likely that the user won't have propagated to the database, so authenticated users will get prompted with the captive portal. </P></BODY></HTML> Fri, 15 May 2015 15:49:45 GMT djr 2015-05-15T15:49:45Z https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32381#M23730 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>This is only theoretical for me as I don't use captive portal (yet) but I noticed a problem.&nbsp; I am successfully authenticating pretty much all my users, but quite often I see a few flows at the start of a user session which doesn't have a user-id.&nbsp; A few milliseconds later the user-id is populated, so I guess this is just down to a slight delay between the first packets hitting the firewall and the user-id coming up with an answer.</P><P></P><P>This is no big deal but it made me think if I did have a captive portal to identify all unknown users, a domain-authenticated user would still find themselves presented with a captive portal login page if they fire off an HTTP request very early on in their session.</P><P></P><P>Is this a known behaviour?&nbsp; It seems like a bit of an issue to me.&nbsp; I know my users would moan about it.</P><P></P><P>Cheers</P><P>David</P></BODY></HTML> Thu, 14 May 2015 14:36:49 GMT https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32381#M23730 djr 2015-05-14T14:36:49Z https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32382#M23731 <HTML><HEAD></HEAD><BODY><P>Hello David</P><P>Please check this <A href="https://live.paloaltonetworks.com/docs/DOC-1628">Packet Flow in PAN-OS</A></P><P class="page" title="Page 9"></P><DIV class="section" style="background-color: rgb(100.000000%, 100.000000%, 100.000000%);"><DIV class="column"><OL start="0" style="list-style-type: none;"><LI><SPAN style="font-size: 10.000000pt; font-family: 'ArialMT';"> a captive portal rule lookup is checked to see if the packet is subject to captive portal authentication. If captive portal is applicable, the packet is redirected to the captive portal daemon </SPAN></LI></OL><P></P><P>This is done prior to security policy lookup. Hope this answered your question.</P><P></P><P>Amjad</P></DIV></DIV></BODY></HTML> Fri, 15 May 2015 14:55:58 GMT https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32382#M23731 aabdelhali 2015-05-15T14:55:58Z https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32383#M23732 <HTML><HEAD></HEAD><BODY><P>Hi Amjad,</P><P></P><P>OK as I said I haven't used the captive portal yet, but the point still remains, in fact that document you linked to shows the problem.</P><P></P><P>I can see that logs have been written before the user is resolved, so that's after the security policy has been processed.&nbsp; As the captive portal rules are run earlier than that, it is even more likely that the user won't have propagated to the database, so authenticated users will get prompted with the captive portal. </P></BODY></HTML> Fri, 15 May 2015 15:49:45 GMT https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32383#M23732 djr 2015-05-15T15:49:45Z https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32384#M23733 <HTML><HEAD></HEAD><BODY><P>David</P><P>This will depends on how your firewall learns the IP-User mapping, for example if you use UIA, I don't expect this will happen because the agent is fast enough to learn the information from AD, and also the Windows OS takes some time to load all services and startup programs when the user log in (I guess at least 10 seconds) before the user is able to open an internet browser. But if you use other methods for example GP client, I guess yea because GP will take some time to connect and firewall to learn the mapping</P><P></P><P>Amjad</P></BODY></HTML> Fri, 15 May 2015 16:01:44 GMT https://live.paloaltonetworks.com/t5/general-topics/delay-with-user-id-and-captive-portal/m-p/32384#M23733 aabdelhali 2015-05-15T16:01:44Z