Do you maybe also use Global Protect with the setting "Enforce GlobalProtect for Network Access" enabled? And does this also made you a headache? Even worse do you have https website configured on the client computers as default websites in the browsers? If if this is not enough does this website also use HSTS?
By default a modern operating system (Windows, Android, iOS, macOs) automatically shows a notification about a captive portal or opens the browser automatically to open the captive login website. At least on windows 10 the captive portal detection mechanism breaks as soon global Protect is installed. At least in a lot of situations in my company this this confused our users heavily so they did not know what to do. We have the captive portal timeout set to 3600 s so the users should have enough time to login to a captive portal. Unfortunately the captive portal notification of global protect will be shown statically 85 seconds before this timeout is reached, so our users will never see this message. Our users started complaining that windows no longer notifies them about what to do in such captive portal situations. In fact they were simply stuck and could no longer connect to the network. As more and more websites use HSTS even when they tried to open a browser manually to open a website this did not work too because of the captive portal there was a cert error and the browser is not allowed to show a cert warning that you can ignore. Only an error page is shown that you cannot click away. Obviously no technical user will understand why only http website will work in that case because only these websites can be redirected by a captive portal without any errors and warnings.
If all these or at least a part of these problems sound familiar to you, then pleas vote for Feature Request 10173. With this feature request the bevaviour of the os'es should be implemented in global protect. With this feature request it should be possible to tell GP to automatically open the browser and open a configurable website (preferably http to have users automatically redirected to captive portal login websites). At least a little step is also Feature Request 9563 where the time when the captive portal notification will be shown will be configurable and not statically 85 seconds befor reaching the captive portal timeout.
Many thanks if you add your votes to thes feature requests.
Solved! Go to Solution.
Agent Update 4.1.9 may alleviate this.
What changed in 4.1.9? So far I don't see a difference regarding this...
Feature Request 9563 was silently implemented. It only requires content update version 8118-5277. After installing this content update a new option becomes available in the Globalprotect Portal>Agent>App Tab to set a "Captive Portal Notification Delay". This option is compatible with global protect agent starting at version 4.1.
This makes the situation already a lot better and as there is the possibility to place a link in the captive portal notification where a user can click to open a browser the problem is almost solved ;)
PS: @PaloAltoNetworks why is this new feature not mentionned in the content update release notes?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!