Chrome Bypassing Captive Portal for Google Services

Reply
Highlighted
L1 Bithead

Chrome Bypassing Captive Portal for Google Services

Hi,

PANOS 4.1.6

Client OS: Windows 7

Client Browser: Google Chrome 21.0.1180.89

I have PAN running with CaptivePortal (Public Certificate with AD Auth profile). Everything works fine when I use Firefox, Chrome and IE (in the case of IE except for the small hitch discussed here in this forum when running on Windows7). I am prompted to Authenticate WebForm without any certificate warning etc etc. How ever when I try gmail.com in chrome (and only in chrome it happens), it simply takes me through and lets me login to gmail and do what ever I want to. Its true for certain other google Apps services ( like Chrome WebStore, Google Analytics etc) too. CaptivePortal is running on Redirect mode on the Trust Interface (l3)

Any thoughts please?

Cheers.

L4 Transporter

Re: Chrome Bypassing Captive Portal for Google Services

What's your captive portal policy and security policy look like?

L1 Bithead

Re: Chrome Bypassing Captive Portal for Google Services

Hi,

CP Rule is

from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal

from Trust Any           -> to Untrust any      any      services http/https/ftp      no-captive-portal

Security Rule is

From Trust Any Any to Untrust Any Any DENY p2p-apps  No-Profiles

From Trust Any Any to Untrust Any Any ALLOW Any       Profiles

Thanks

L4 Transporter

Re: Chrome Bypassing Captive Portal for Google Services

Did you enable SSL Decryption ? If not, when HTTPS is used, CaptivePortal will be ignored

L1 Bithead

Re: Chrome Bypassing Captive Portal for Google Services

Hello umphmharding,


I have done some more tweaking to see to it further to my earlier post mentioning CP and Security rules which you asked for. Now as an update to that, what I have done is created a top rule blocking ALL applications from Trust to Untrust for 'Unknown' users. This now helps me block all traffic unless properly authenticated with CaptivePortal. How ever interestingly if now Chrome Browser is launched and try accessing gmail or similar google Apps service,  browser simply does NOT take me anywhere neither to captive portal. Again if I access some other site and then I am promped with CP, authenticate myself and everything goes smooth.


So looks like something got to do the way chrome intiates its session with Google services???


Thanks


L4 Transporter

Re: Chrome Bypassing Captive Portal for Google Services

Your rule "from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal" will be ignored on SSL (HTTPS) if you don't have SSL Decryption enabled.

L1 Bithead

Re: Chrome Bypassing Captive Portal for Google Services

I did that before. But if I do enable it, then I run to warning page problems as I dont have an internal CA.

But again if what you said is the case, why is that other browsers (FF and IE) taking me to CP when I access the same gmail services?

Thanks

L4 Transporter

Re: Chrome Bypassing Captive Portal for Google Services

The very first connection of your browser of the one that counts : is it possible that you open HTTP instead of HTTPS with Chrome while not with IE and FF ?

In my company, Chrome defaults connection Google with HTTPS .

If you take a Wireshark trace (1 for each browser) you will see what kind of connection is doing each browser.

For SSL Decryption : yes get errors if you don't invest a lot of time to set it up propely.

L1 Bithead

Re: Chrome Bypassing Captive Portal for Google Services

OK, I change the rule to from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal" to a new rule as below


from Trust VLAN 20    -> to Untrust any      any      services  ANY      captive-portal"


I also enabled SSL Decrypt now and the situation is that it (chrome) still does not take me to the CP page, instead takes to the certificate warning page, which means my SSL Decrypt rule is in place. But as before, all other browsers gets be to the CP.

L4 Transporter

Re: Chrome Bypassing Captive Portal for Google Services

If other browsers aren't complaining about Certificates, it means that they aren't being concerned by SSL decryption rule (so they aren't using HTTPS?)

Again, I think that if you want to make sure, you should get 1 Wireshark network capture for each browser, you will get a quick and 100% sure answer.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!