08-05-2013 05:26 PM
Hi there
We've just enabled Captive Portal for all of our users but I'm getting a small number of users who are simply not being redirected to the captive portal to authenticate. I've noticed that Safari on Mac is a common theme but there are a number of PC users with the same problem.
I have a small selection of trusted IP addresses which do not require CP authentication, then the final rule is from Internal to External zones, any address, any service and the action is "web-form".
I had a rule which blocked unknown users from passing from Internal zone to External but I've since disabled that to allow these users access.
Any idea where I should start looking?
08-05-2013 08:37 PM
For the unknown users are you allwoing dns application.
you can also refer the following docs:-
08-05-2013 05:44 PM
How does the session look like for ex:-
show session all filter source (source in question)
then do a show session id (id) and look to see if it shows captive portal session : True.
You can also turn on debug for captive portal by using the command:- debug l3svc on debug and look for logs
08-05-2013 06:57 PM
admin@PA-2050> show session all filter source 172.16.2.197
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[P
ort])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
257470 unknown-tcp DISCARD FLOW NS 172.16.2.197[55125]/Internal/6 (111.6
9.54.114[54460])
vsys1 157.56.52.31[80]/External (157.56.52.
31[80])
63943 web-browsing ACTIVE FLOW NS 172.16.2.197[55093]/Internal/6 (111.6
9.54.114[37594])
vsys1 72.167.18.238[80]/External (72.167.18
.238[80])
117473 web-browsing ACTIVE FLOW NS 172.16.2.197[55097]/Internal/6 (111.6
9.54.114[41613])
vsys1 72.167.18.238[80]/External (72.167.18
.238[80])
32076 skype DISCARD FLOW NS 172.16.2.197[55106]/Internal/6 (111.6
9.54.114[59521])
vsys1 111.221.74.29[40045]/External (111.22
1.74.29[40045])
46227 ocsp ACTIVE FLOW NS 172.16.2.197[55100]/Internal/6 (111.6
admin@PA-2050> show session id 117473
Session 117473
c2s flow:
source: 172.16.2.197 [Internal]
dst: 72.167.18.238
proto: 6
sport: 55097 dport: 80
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 72.167.18.238 [External]
dst: 111.69.54.114
proto: 6
sport: 80 dport: 41613
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Tue Aug 6 13:54:25 2013
timeout : 60 sec
total byte count(c2s) : 581
total byte count(s2c) : 134
layer7 packet count(c2s) : 6
layer7 packet count(s2c) : 2
vsys : vsys1
application : web-browsing
rule : Block Unknown
session to be logged at end : False
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Outbound Snap(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : business-and-economy
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/1
egress interface : ethernet1/2
session QoS rule : N/A (class 4)
Interestingly that's showing as not being a captive portal session but I'm not quite sure why. It should be.
08-05-2013 08:37 PM
For the unknown users are you allwoing dns application.
you can also refer the following docs:-
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
