topic Re: Not working captive portal in https in General Topics

Not working captive portal in https

soporteseguridad — Thu, 18 Feb 2016 15:46:35 GMT

Users report me problems, when they launch web-browser with a website in https, captive portal is not shown and they can not surf on internet, but if they go into http website the captive portal is working. why is not being showed the captive portal in https webs?

Re: Not working captive portal in https

lewis — Thu, 18 Feb 2016 16:04:48 GMT

you need to do ssl decryption to have it work on https

Re: Not working captive portal in https

soporteseguridad — Thu, 18 Feb 2016 16:54:47 GMT

Do you have any example about how to configure decryptssl for https captive prtal?

Re: Not working captive portal in https

pankaku — Thu, 18 Feb 2016 17:06:34 GMT

Decryption is not specific for captive portal but it is for all kind of traffic passing through the firewall. Check the following document. You can prevent some traffic from being decrypted by creating a no decrypt rule.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

Re: Not working captive portal in https

lewis — Thu, 18 Feb 2016 17:44:12 GMT

this document may be of use too

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an-HTTPS-Session-Without/ta-p/55998

Re: Not working captive portal in https

pankaku — Thu, 18 Feb 2016 17:59:40 GMT

Lewis,

I was thinking of that doc but was not sure if it will work or not.

Regards,

Pankaj Kumar

Re: Not working captive portal in https

soporteseguridad — Fri, 19 Feb 2016 10:44:19 GMT

Yes but im not sure about how is the policy that i should create in SSLDEcrypt.

Any / any decrypt?? which filter?? app ssl? this happends with all https webs...

Re: Not working captive portal in https

reaper — Fri, 19 Feb 2016 10:58:16 GMT

For SSL sites to work properly in captive portal you should have decryption enabled and will need to have the captive portal set to redirect to a dataplane interface, preferably using a hostname that can be resolved internally and a certificate for that hostname

ssl decryption policy would ideally be any any 443 decrypt BUT if this is undesirable you could work with a certain URL category destination which could be a custom category with a URL each user needs to visit before being allowed to browse out, or 'obvious' categories for the first page in most people's browsers like 'search-engine' or 'news'

Re: Not working captive portal in https

santonic — Fri, 19 Feb 2016 11:10:26 GMT

From LAN/trust to Internet/untrust port 443, ssl app. Maybe start with single destination webpage and when that one works apply decrypt rule for all. Avoid decrypting banking, health URLs... with no-decrypt rule above the general rule.

Re: Not working captive portal in https

soporteseguridad — Fri, 19 Feb 2016 13:55:25 GMT

Its weird, because i dont have this problem and i dont have a SSL decrypt policy in my Palto.

For example, if users go to http://www.google.es the captive portal is showed and they can log in. However, if they go to https://www.google.es nothing is showed and they can not logging (the page shows nothing).

Re: Not working captive portal in https

lewis — Fri, 19 Feb 2016 14:26:08 GMT

this is why you need ssl decryption in order to deliver the captive portal page or https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an-HTTPS-Session-Without/ta-p/55998

Re: Not working captive portal in https

lewis — Fri, 19 Feb 2016 14:32:43 GMT

pankaj.kumar we have used this method to deliver reponse pages in the past but not captive portal specifically. I suspect it would work fine. We had to turn it off as it impacted one of our backend systems in unique situations that required an expensive upgrade on this backend system we were not willing to pay for at this time (nothing Palo Alto was doing wrong). However, delivering a response page without ssl decryption did work great. When users went to blocked categories on https it allowed them to get response page vs the white screen.