topic Re: Avoiding Certificate Error With Captive Portal in General Topics

Avoiding Certificate Error With Captive Portal

kevin.shain — Mon, 26 Jul 2010 22:01:01 GMT

I was able to get Captive Portal setup successfully, but is there a way to prevent IE from complaining about a certificate error to get to the captive portal? I probably won't be able to use it because of this error, it would be too confusing to some of my users.

Thanks for any help.

Re: Avoiding Certificate Error With Captive Portal

mjacobsen — Mon, 26 Jul 2010 22:05:55 GMT

You will need to switch to redirect mode to remove the browser warnings. This allows the device to forward the browser to an interface IP address that will have a matching certificate and then, once properly authenticated, it will forward them back to the originally desired destination.

https://live.paloaltonetworks.com/docs/DOC-1516

Mike

Re: Avoiding Certificate Error With Captive Portal

kevin.shain — Mon, 26 Jul 2010 22:26:04 GMT

I switched to redirect mode to 10.2.0.1, which is one of my L3 interfaces and I still receive a certificate error -- I've tried both a self generated certificate and using that Server Certificate and just leaving the Server Certificate blank.

I am seeing this in IE8, I don't have any other browsers installed on the machine I am testing with.

Any thing else I can try?

Re: Avoiding Certificate Error With Captive Portal

mjacobsen — Tue, 27 Jul 2010 15:21:08 GMT

In order to eliminate the errors you will need to install a cert that matches the IP address of the interface. Otherwise, the browser will still give certificate warnings.

Mike

Re: Avoiding Certificate Error With Captive Portal

kevin.shain — Thu, 29 Jul 2010 00:21:16 GMT

I did that. Problem is that IE8 doesn't like the fact that it is a self-generated certificate, guess I am out of luck unless I want to purchase a certificate.

Re: Avoiding Certificate Error With Captive Portal

mjacobsen — Thu, 29 Jul 2010 04:19:56 GMT

You don't necessarily need to purchase a cert, but you do need it to be a cert signed by a CA that your browsers trust. If you have a CA in place for creating certs for internal services, the same could be used for this. Alternatively, you could create a CA and tell your browsers to trust certs signed by it.

Mike

Re: Avoiding Certificate Error With Captive Portal

mindterra — Fri, 03 Dec 2010 04:00:50 GMT

PAM OS: 3.1.6

I use IE browser 8 for captvie portal but IE get cert very slowly. If I use firefox, It is OK.

Has captvie portal problems with IE 8?

Thank You

Re: Avoiding Certificate Error With Captive Portal

bpappas — Fri, 03 Dec 2010 15:59:15 GMT

If you are using a self-signed certificate with Captive Portal and IE8 you will see slow page load times.

This is a browser issue. One way that you can solve this problem is by putting a valid cert on the Captive Portal and using redirect mode for Captive Portal.

Re: Avoiding Certificate Error With Captive Portal

mindterra — Mon, 06 Dec 2010 01:26:10 GMT

For IE8, I found a problem. IE8 can not trust valid cert but other browser as Firefox can trust cert.

Have you ever found this issue? How solved?

Thank You

Re: Avoiding Certificate Error With Captive Portal

bpappas — Mon, 06 Dec 2010 14:57:32 GMT

When you say "IE 8 cannot trust a valid cert" what does that mean exactly?

Public CA or Internal CA?

certificate details? (format, key length, etc etc)

What error(s)/symptom(s) does IE 8 display?

Re: Avoiding Certificate Error With Captive Portal

mindterra — Wed, 15 Dec 2010 07:53:31 GMT

IE 8 display as ie_cp_error.jpg

Re: Avoiding Certificate Error With Captive Portal

mindterra — Fri, 17 Dec 2010 08:07:36 GMT

If I use redirect mode for Captive Portal, NTLM required for CP or not.

I am using Radius authentication.

What a way for captive portal does without NTLM but Radius only?

Re: Avoiding Certificate Error With Captive Portal

James — Fri, 17 Dec 2010 09:11:54 GMT

Hi There,

You can just select an authentication profile, that you will have created for RADIUS. This will allow Captive Portal to work with RADIUS and not NTLM - you need not select the User ID Agent in this case (you can leave it blank).

Thanks

James

Re: Avoiding Certificate Error With Captive Portal

kkeeton — Wed, 24 Aug 2011 18:27:57 GMT

it should be of note that older browsers you could do this (redirect with a self signed) and there was no issue.

example if you take firefox 3 and try this it works with no errors.

however newer browsers wont allow a self signed certificate they will show errors, this is something that the browser manuifacture's have chosen to do to prevent macicious behavior. to "undo this feature" you would have to contact your browser manuifacture or google around for a way to defete this "protection" should you want to use a self signed cert....

ideally your not using a self signed certificate for this behavior as your complications go beyond firefox and IE ...aka BlackBerry Chrome Safari etc all of which will be enabling protection like this..