Delay with User-ID and Captive Portal

Reply
Highlighted
djr
L3 Networker

Delay with User-ID and Captive Portal

HI,

This is only theoretical for me as I don't use captive portal (yet) but I noticed a problem.  I am successfully authenticating pretty much all my users, but quite often I see a few flows at the start of a user session which doesn't have a user-id.  A few milliseconds later the user-id is populated, so I guess this is just down to a slight delay between the first packets hitting the firewall and the user-id coming up with an answer.

This is no big deal but it made me think if I did have a captive portal to identify all unknown users, a domain-authenticated user would still find themselves presented with a captive portal login page if they fire off an HTTP request very early on in their session.

Is this a known behaviour?  It seems like a bit of an issue to me.  I know my users would moan about it.

Cheers

David

Tags (2)
L4 Transporter

Re: Delay with User-ID and Captive Portal

Hello David

Please check this Packet Flow in PAN-OS

  1. a captive portal rule lookup is checked to see if the packet is subject to captive portal authentication. If captive portal is applicable, the packet is redirected to the captive portal daemon

This is done prior to security policy lookup. Hope this answered your question.

Amjad

djr
L3 Networker

Re: Delay with User-ID and Captive Portal

Hi Amjad,

OK as I said I haven't used the captive portal yet, but the point still remains, in fact that document you linked to shows the problem.

I can see that logs have been written before the user is resolved, so that's after the security policy has been processed.  As the captive portal rules are run earlier than that, it is even more likely that the user won't have propagated to the database, so authenticated users will get prompted with the captive portal.

L4 Transporter

Re: Delay with User-ID and Captive Portal

David

This will depends on how your firewall learns the IP-User mapping, for example if you use UIA, I don't expect this will happen because the agent is fast enough to learn the information from AD, and also the Windows OS takes some time to load all services and startup programs when the user log in (I guess at least 10 seconds) before the user is able to open an internet browser. But if you use other methods for example GP client, I guess yea because GP will take some time to connect and firewall to learn the mapping

Amjad

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!