Does Captive Portal work on Virtual Wires?

Reply
Not applicable

Does Captive Portal work on Virtual Wires?

Hi,

I configured Captive Portal on PA-500 ver. 3.1.3 with following directions in a PDF document "How to Configure Captive Portal", but Captive Portal Login Screen has never come up. I wonder if Captive Portal works with Virtual Wires environment?

Thanks in advance.

Tags (1)

Accepted Solutions
Highlighted
L4 Transporter

Re: Does Captive Portal work on Virtual Wires?

If you use Redirect on a vwire you will need to create a L3 interface to act as the "Redirect" interface. It needs to be routable to the client PCs. If your DNS server is on the other side of the CP then you will need to allow all DNS traffic through the vwire to make this work. We have a revised CP document for version 3.1 posted on this portal.

Steve Krall

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Does Captive Portal work on Virtual Wires?

The operation of captive portal changed slightly in PAN-OS 3.1. The setup in the document is related to PAN-OS 3.0. There are two modes for captive portal configuration now: transparent or redirect. PAN-OS 3.1 introduced the redirect mode so that browser certificate errors could be avoided. With transparent mode, the firewall will transparently intercept the browser traffic per the captive portal rule and pretend like it is the original destination URL. This causes cert errors because we are not the destination URL in reality and do not have the appropriate cert for the site. Redirect mode tells the browser to go to a configured address that would be a configured L3 interface on the device (not necessarily one that is used for processing traffic). You can use either mode with virtual wire. Redirect is preferred as it is a better end-user experience (no cert errors). However, it does require additional L3 configuration.

The other addition in PAN-OS 3.1 is the Authentication Profile. Instead of configuring the RADIUS info directly, you reference an authentication profile.

The other occasionally overlooked piece is that you need to remember to Commit the configuration for it to become active. If none of this seems to help, post some more details of your setup. The CLI output of "show running captive-portal-policy" and "show captive-portal" from configure mode would be a good starting point.

Mike

Highlighted
L2 Linker

Re: Does Captive Portal work on Virtual Wires?

Mike,

If I use redirect mode and Radius authentication only, I don't use NTLM

Can Captive portal work? In case of certificate errors

Highlighted
L4 Transporter

Re: Does Captive Portal work on Virtual Wires?

If you use Redirect on a vwire you will need to create a L3 interface to act as the "Redirect" interface. It needs to be routable to the client PCs. If your DNS server is on the other side of the CP then you will need to allow all DNS traffic through the vwire to make this work. We have a revised CP document for version 3.1 posted on this portal.

Steve Krall

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!