Our Captive Portal is configured to authenticate according an "authentication sequence" LDAP based (LDAP-Local-Auth).
We set 4 different AD servers from different Offices as per below
Captive Portal can authenticate only for first 2 servers.... When users from AD-MEX try to authenticate they receive this page
At monitor > system we can see they are correctly authenticated,,,, but Captive Portal waits for only 2 tries... 1st and 2nd options...
Example below, show a user from Mexico (3rd AD server in auth sequence)...
- 1st try he got deny (1st AD server... OK) - 6:20 PM
- 2nd try he got deny (2nd AD server from Colombia... OK deny expected) - 6:20PM
- then Captive block the access without wait the 3rd try (AD Mexico) - 6:20 PM
- 3rd try he got ALLOW .... but CP had already blocked the access.... - 6:21 PM
Any help on that ?
Solved! Go to Solution.
I think this is caused by the l3 service timeout. By default, that timeout is 3 seconds. Try using the following command to increase that timeout value. You may have to modify the value some until you get the results you are looking for.
> set deviceconfig setting l3-service timeout 10
Can you move third profile to first in the list.And try captive portal. If it works than its a sequence/timeout issue.
If it doesnt work than its something to do with config/authentication. It appears to be easiest step now.
Thanks for all replies and help!! really appreciated
I did the suggested command as per above.... (set deviceconfig setting l3-service timeout 10)
But it seems that didnt work.... I change the order, put europe AD at 2nd place, but that didnt work as well... depite I see auth success at monitor > system logs
New sequence order
I tried to login w/ a user from europe domain (AD-FRA)... same behavior
I dont understand, why PA doesnt check the domain.... I mean even if I use ie europe\user it still try to autheticate at other domains... PA should autheticate w/ europe domain... right ? Looks like it doesnt care about the "domain\"...
Another screen shot might be helpful... sometimes I receive this error message....
Any other suggestion ?
Thank you very much guys !
That is working!!!!
I have changed to 30 seconds!!
now I can logging w/ anyone... from all ADs!!!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!