Always on Global Protect and Open Wifi

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Always on Global Protect and Open Wifi

L6 Presenter

I'm in the initial stages of a support case, but am curious if you all have had issues or success with this scenario:

 

A GP user that is:

 

pre-login / always-on / machine cert auth / no split-tunnel (0.0.0.0/0 include route) with access to their local network

 

 

Here's the problem:

 

A user is at a hotel / starbucks (a place that has an open wifi connection, but has a guest portal authentication requirement).  They're on the guest Wifi network, but the network's guest portal authentication page doesn't come up, and eventually GP gives the message saying that GP can't connect to the portal.

 

 

Has anyone had this problem before?  How did you solve it?

1 accepted solution

Accepted Solutions

These settings may or may not help with your issues,  this reduced our calls and complaints from people at hotels while traveling to zero

 

2018-11-29 08_21_07-hq-pan-02.png

As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured

View solution in original post

13 REPLIES 13

L7 Applicator

hmm, i have had similar..   after GP has given up... what happens when a user trys to browse to the internet, does the guest portal page pop up at all?

L4 Transporter

I have had a few complaints about this type of situation, there are a few things to consider:

 

1. typically the captive portal is on the internal network so the user simply just needs to open a browser and try to browse they will then get the portal and go from there

2. GP client settings for captive portals can be very helpful, it will reach out and detect a captive portal without the need for the user to always open a browser, the user will get a popup telling them there is a captive portal detected. Try looking into that

3. captive portals are a pain in the *&^%$#$ specially when they are hosted internally and use HTTPS which requires a valid cert chain the user needs to have the trusted root/intermediates. It can be done but since you have no control over the hotel's captive portal or wifi setup it can be the wild west.

In our corporate office on the guest network the "hot spot portal" automatically pops-up attempting to open the authentication portal page, but GP doesn't allow the client to connect to the portal to provide the authentication.


@hshawn wrote:

I have had a few complaints about this type of situation, there are a few things to consider:

 

1. typically the captive portal is on the internal network so the user simply just needs to open a browser and try to browse they will then get the portal and go from there

 


 

The two networks are on 2 totally different Class-A networks.

 


@hshawn wrote:

I have had a few complaints about this type of situation, there are a few things to consider:

 

2. GP client settings for captive portals can be very helpful, it will reach out and detect a captive portal without the need for the user to always open a browser, the user will get a popup telling them there is a captive portal detected. Try looking into that

 

 

The Wifi environment of the users is natively trying to get the clients to the portal, but it appears GP isn't allowing access.

 

 


@hshawn wrote:

I have had a few complaints about this type of situation, there are a few things to consider:

 

3. captive portals are a pain in the *&^%$#$ specially when they are hsoted internally and use HTTPS which requires a valid cert chain the user needs to have the trusted root/intermediates. It can be done but since you have no control over the hotel's captive portal or wifi setup it can be the wild west.


 

 

Fortunately for us in the corporate office at least our guest portal is signed public wildcard cert so non-managed devices trust the cert since it's a public cert.

@Brandon_Wertz If the user is on the corp network why are they attempting to connect to the VPN using GP? 🙂 I think maybe I misunderstand your response? We actually have a guest WiFi network here as well so I think I know what you mean. We are able to switch over to the guest wifi to test the VPN out but we spent a lot of time fine tunning to make sure it would work perfectly. PM me if you want to compare configs or something. 

 

Here I can switch to guest wifi->captive portal comes up automatically->user clicks the accept button->has internet->GP connects to the VPN

These settings may or may not help with your issues,  this reduced our calls and complaints from people at hotels while traveling to zero

 

2018-11-29 08_21_07-hq-pan-02.png

As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured

TAC recently sent this in response to my case, so it's the next thing I'll be looking into:

 

 "I have done an initial investigation of the running configuration in place, and I can see you have "Enforce GlobalProtect for Network Access" enabled, with "Captive Portal Exception Timeout" set to the default of 0 (no timeout).

 

"Please note that if the feature "Enforce GlobalProtect for Network Access" is enabled, GlobalProtect blocks all traffic until the agent is internal or connects to an external gateway, and thus the users are unable to access the Guest Wifi Portal.

Please configure the "Captive Portal Exception Timeout" to a specific value in seconds and run the test again."

 

 

"My Response:

Does this mean if I set the timer to say 300 seconds the tunnel won’t be locked down for 5 minutes? "

 

 

I think potentially I mis-understood this value.  As I attributed it to Palo Alto's use case, but I'm thinking in-fact it's a general reference for exactly my use case.

 

Thoughts???

@Brandon_Wertz that is what I was thinking you may need to tweak, if you are using pre-logon/ user-logon then you should not need that enforce setting. I have not tried it in combination with captive portals but sounds like your culprit


@hshawn wrote:

@Brandon_Wertz If the user is on the corp network why are they attempting to connect to the VPN using GP? 🙂 I think maybe I misunderstand your response?


 

 

No you weren't wrong.  In the corporate office I used our own "Guest" network to replicate the exact issue seen at smiliar locations like a hotel or coffee shop.  So users are "in the office" but not seen as such.

 

 


@hshawn wrote:

We actually have a guest WiFi network here as well so I think I know what you mean. We are able to switch over to the guest wifi to test the VPN out but we spent a lot of time fine tunning to make sure it would work perfectly. PM me if you want to compare configs or something. 

 

Here I can switch to guest wifi->captive portal comes up automatically->user clicks the accept button->has internet->GP connects to the VPN


 

Yeah I think this is the culprit.


@hshawn wrote:

...culprit


 

 

HAHAHAHA used the same word!!  FNG hiliarious.


@hshawn wrote:

These settings may or may not help with your issues,  this reduced our calls and complaints from people at hotels while traveling to zero

 

2018-11-29 08_21_07-hq-pan-02.png

As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured


 

 

This was TAC's response:

 

"If you set it to 300 seconds, then once the Global Protect client detects a captive portal, it will allow the user 5 minutes to login, this time is also known as the grace period.

I hope this answers your question."

 

 

So yep I think both TAC and @hshawn have this solved.  I'll need to get this approved to make the config change.  Once I can get it implemented I'll update this thread.

When you have a start website in the browser(s) that uses HSTS - at least then it is fun 😛


@hshawn wrote:

These settings may or may not help with your issues,  this reduced our calls and complaints from people at hotels while traveling to zero

 

2018-11-29 08_21_07-hq-pan-02.png

As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured


 

With TAC's similar suggestion I implemented these changes and it corrected the connection issue.

  • 1 accepted solution
  • 16649 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!