Always on Global Protect and Open Wifi

Reply
Highlighted
Cyber Elite

Always on Global Protect and Open Wifi

I'm in the initial stages of a support case, but am curious if you all have had issues or success with this scenario:

 

A GP user that is:

 

pre-login / always-on / machine cert auth / no split-tunnel (0.0.0.0/0 include route) with access to their local network

 

 

Here's the problem:

 

A user is at a hotel / starbucks (a place that has an open wifi connection, but has a guest portal authentication requirement).  They're on the guest Wifi network, but the network's guest portal authentication page doesn't come up, and eventually GP gives the message saying that GP can't connect to the portal.

 

 

Has anyone had this problem before?  How did you solve it?


Accepted Solutions
Highlighted
L4 Transporter

Re: Always on Global Protect and Open Wifi

These settings may or may not help with your issues,  this reduced our calls and complaints from people at hotels while traveling to zero

 

2018-11-29 08_21_07-hq-pan-02.png

As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Always on Global Protect and Open Wifi

hmm, i have had similar..   after GP has given up... what happens when a user trys to browse to the internet, does the guest portal page pop up at all?

Highlighted
L4 Transporter

Re: Always on Global Protect and Open Wifi

I have had a few complaints about this type of situation, there are a few things to consider:

 

1. typically the captive portal is on the internal network so the user simply just needs to open a browser and try to browse they will then get the portal and go from there

2. GP client settings for captive portals can be very helpful, it will reach out and detect a captive portal without the need for the user to always open a browser, the user will get a popup telling them there is a captive portal detected. Try looking into that

3. captive portals are a pain in the *&^%$#$ specially when they are hosted internally and use HTTPS which requires a valid cert chain the user needs to have the trusted root/intermediates. It can be done but since you have no control over the hotel's captive portal or wifi setup it can be the wild west.

Highlighted
Cyber Elite

Re: Always on Global Protect and Open Wifi

In our corporate office on the guest network the "hot spot portal" automatically pops-up attempting to open the authentication portal page, but GP doesn't allow the client to connect to the portal to provide the authentication.

Highlighted
Cyber Elite

Re: Always on Global Protect and Open Wifi


@hshawn wrote:

I have had a few complaints about this type of situation, there are a few things to consider:

 

1. typically the captive portal is on the internal network so the user simply just needs to open a browser and try to browse they will then get the portal and go from there

 


 

The two networks are on 2 totally different Class-A networks.

 


@hshawn wrote:

I have had a few complaints about this type of situation, there are a few things to consider:

 

2. GP client settings for captive portals can be very helpful, it will reach out and detect a captive portal without the need for the user to always open a browser, the user will get a popup telling them there is a captive portal detected. Try looking into that

 

 

The Wifi environment of the users is natively trying to get the clients to the portal, but it appears GP isn't allowing access.

 

 


@hshawn wrote:

I have had a few complaints about this type of situation, there are a few things to consider:

 

3. captive portals are a pain in the *&^%$#$ specially when they are hsoted internally and use HTTPS which requires a valid cert chain the user needs to have the trusted root/intermediates. It can be done but since you have no control over the hotel's captive portal or wifi setup it can be the wild west.


 

 

Fortunately for us in the corporate office at least our guest portal is signed public wildcard cert so non-managed devices trust the cert since it's a public cert.

Highlighted
L4 Transporter

Re: Always on Global Protect and Open Wifi

@Brandon_Wertz If the user is on the corp network why are they attempting to connect to the VPN using GP? :) I think maybe I misunderstand your response? We actually have a guest WiFi network here as well so I think I know what you mean. We are able to switch over to the guest wifi to test the VPN out but we spent a lot of time fine tunning to make sure it would work perfectly. PM me if you want to compare configs or something. 

 

Here I can switch to guest wifi->captive portal comes up automatically->user clicks the accept button->has internet->GP connects to the VPN

Highlighted
L4 Transporter

Re: Always on Global Protect and Open Wifi

These settings may or may not help with your issues,  this reduced our calls and complaints from people at hotels while traveling to zero

 

2018-11-29 08_21_07-hq-pan-02.png

As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured

View solution in original post

Highlighted
Cyber Elite

Re: Always on Global Protect and Open Wifi

TAC recently sent this in response to my case, so it's the next thing I'll be looking into:

 

 "I have done an initial investigation of the running configuration in place, and I can see you have "Enforce GlobalProtect for Network Access" enabled, with "Captive Portal Exception Timeout" set to the default of 0 (no timeout).

 

"Please note that if the feature "Enforce GlobalProtect for Network Access" is enabled, GlobalProtect blocks all traffic until the agent is internal or connects to an external gateway, and thus the users are unable to access the Guest Wifi Portal.

Please configure the "Captive Portal Exception Timeout" to a specific value in seconds and run the test again."

 

 

"My Response:

Does this mean if I set the timer to say 300 seconds the tunnel won’t be locked down for 5 minutes? "

 

 

I think potentially I mis-understood this value.  As I attributed it to Palo Alto's use case, but I'm thinking in-fact it's a general reference for exactly my use case.

 

Thoughts???

Highlighted
L4 Transporter

Re: Always on Global Protect and Open Wifi

@Brandon_Wertz that is what I was thinking you may need to tweak, if you are using pre-logon/ user-logon then you should not need that enforce setting. I have not tried it in combination with captive portals but sounds like your culprit

Highlighted
Cyber Elite

Re: Always on Global Protect and Open Wifi


@hshawn wrote:

@Brandon_Wertz If the user is on the corp network why are they attempting to connect to the VPN using GP? :) I think maybe I misunderstand your response?


 

 

No you weren't wrong.  In the corporate office I used our own "Guest" network to replicate the exact issue seen at smiliar locations like a hotel or coffee shop.  So users are "in the office" but not seen as such.

 

 


@hshawn wrote:

We actually have a guest WiFi network here as well so I think I know what you mean. We are able to switch over to the guest wifi to test the VPN out but we spent a lot of time fine tunning to make sure it would work perfectly. PM me if you want to compare configs or something. 

 

Here I can switch to guest wifi->captive portal comes up automatically->user clicks the accept button->has internet->GP connects to the VPN


 

Yeah I think this is the culprit.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!