Client OS: Windows 7
Client Browser: Google Chrome 21.0.1180.89
I have PAN running with CaptivePortal (Public Certificate with AD Auth profile). Everything works fine when I use Firefox, Chrome and IE (in the case of IE except for the small hitch discussed here in this forum when running on Windows7). I am prompted to Authenticate WebForm without any certificate warning etc etc. How ever when I try gmail.com in chrome (and only in chrome it happens), it simply takes me through and lets me login to gmail and do what ever I want to. Its true for certain other google Apps services ( like Chrome WebStore, Google Analytics etc) too. CaptivePortal is running on Redirect mode on the Trust Interface (l3)
Any thoughts please?
Solved! Go to Solution.
CP Rule is
from Trust VLAN 20 -> to Untrust any any services http/https/ftp captive-portal
from Trust Any -> to Untrust any any services http/https/ftp no-captive-portal
Security Rule is
From Trust Any Any to Untrust Any Any DENY p2p-apps No-Profiles
From Trust Any Any to Untrust Any Any ALLOW Any Profiles
I have done some more tweaking to see to it further to my earlier post mentioning CP and Security rules which you asked for. Now as an update to that, what I have done is created a top rule blocking ALL applications from Trust to Untrust for 'Unknown' users. This now helps me block all traffic unless properly authenticated with CaptivePortal. How ever interestingly if now Chrome Browser is launched and try accessing gmail or similar google Apps service, browser simply does NOT take me anywhere neither to captive portal. Again if I access some other site and then I am promped with CP, authenticate myself and everything goes smooth.
So looks like something got to do the way chrome intiates its session with Google services???
Your rule "from Trust VLAN 20 -> to Untrust any any services http/https/ftp captive-portal" will be ignored on SSL (HTTPS) if you don't have SSL Decryption enabled.
I did that before. But if I do enable it, then I run to warning page problems as I dont have an internal CA.
But again if what you said is the case, why is that other browsers (FF and IE) taking me to CP when I access the same gmail services?
The very first connection of your browser of the one that counts : is it possible that you open HTTP instead of HTTPS with Chrome while not with IE and FF ?
In my company, Chrome defaults connection Google with HTTPS .
If you take a Wireshark trace (1 for each browser) you will see what kind of connection is doing each browser.
For SSL Decryption : yes get errors if you don't invest a lot of time to set it up propely.
OK, I change the rule to from Trust VLAN 20 -> to Untrust any any services http/https/ftp captive-portal" to a new rule as below
from Trust VLAN 20 -> to Untrust any any services ANY captive-portal"
I also enabled SSL Decrypt now and the situation is that it (chrome) still does not take me to the CP page, instead takes to the certificate warning page, which means my SSL Decrypt rule is in place. But as before, all other browsers gets be to the CP.
If other browsers aren't complaining about Certificates, it means that they aren't being concerned by SSL decryption rule (so they aren't using HTTPS?)
Again, I think that if you want to make sure, you should get 1 Wireshark network capture for each browser, you will get a quick and 100% sure answer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!