- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-29-2018 07:23 AM
I'm in the initial stages of a support case, but am curious if you all have had issues or success with this scenario:
A GP user that is:
pre-login / always-on / machine cert auth / no split-tunnel (0.0.0.0/0 include route) with access to their local network
Here's the problem:
A user is at a hotel / starbucks (a place that has an open wifi connection, but has a guest portal authentication requirement). They're on the guest Wifi network, but the network's guest portal authentication page doesn't come up, and eventually GP gives the message saying that GP can't connect to the portal.
Has anyone had this problem before? How did you solve it?
11-29-2018 08:22 AM - edited 11-29-2018 08:23 AM
These settings may or may not help with your issues, this reduced our calls and complaints from people at hotels while traveling to zero
As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured
11-29-2018 07:29 AM
hmm, i have had similar.. after GP has given up... what happens when a user trys to browse to the internet, does the guest portal page pop up at all?
11-29-2018 08:07 AM - edited 11-29-2018 08:14 AM
I have had a few complaints about this type of situation, there are a few things to consider:
1. typically the captive portal is on the internal network so the user simply just needs to open a browser and try to browse they will then get the portal and go from there
2. GP client settings for captive portals can be very helpful, it will reach out and detect a captive portal without the need for the user to always open a browser, the user will get a popup telling them there is a captive portal detected. Try looking into that
3. captive portals are a pain in the *&^%$#$ specially when they are hosted internally and use HTTPS which requires a valid cert chain the user needs to have the trusted root/intermediates. It can be done but since you have no control over the hotel's captive portal or wifi setup it can be the wild west.
11-29-2018 08:12 AM
In our corporate office on the guest network the "hot spot portal" automatically pops-up attempting to open the authentication portal page, but GP doesn't allow the client to connect to the portal to provide the authentication.
11-29-2018 08:17 AM
@hshawn wrote:I have had a few complaints about this type of situation, there are a few things to consider:
1. typically the captive portal is on the internal network so the user simply just needs to open a browser and try to browse they will then get the portal and go from there
The two networks are on 2 totally different Class-A networks.
@hshawn wrote:I have had a few complaints about this type of situation, there are a few things to consider:
2. GP client settings for captive portals can be very helpful, it will reach out and detect a captive portal without the need for the user to always open a browser, the user will get a popup telling them there is a captive portal detected. Try looking into that
The Wifi environment of the users is natively trying to get the clients to the portal, but it appears GP isn't allowing access.
@hshawn wrote:I have had a few complaints about this type of situation, there are a few things to consider:
3. captive portals are a pain in the *&^%$#$ specially when they are hsoted internally and use HTTPS which requires a valid cert chain the user needs to have the trusted root/intermediates. It can be done but since you have no control over the hotel's captive portal or wifi setup it can be the wild west.
Fortunately for us in the corporate office at least our guest portal is signed public wildcard cert so non-managed devices trust the cert since it's a public cert.
11-29-2018 08:17 AM
@Brandon_Wertz If the user is on the corp network why are they attempting to connect to the VPN using GP? 🙂 I think maybe I misunderstand your response? We actually have a guest WiFi network here as well so I think I know what you mean. We are able to switch over to the guest wifi to test the VPN out but we spent a lot of time fine tunning to make sure it would work perfectly. PM me if you want to compare configs or something.
Here I can switch to guest wifi->captive portal comes up automatically->user clicks the accept button->has internet->GP connects to the VPN
11-29-2018 08:22 AM - edited 11-29-2018 08:23 AM
These settings may or may not help with your issues, this reduced our calls and complaints from people at hotels while traveling to zero
As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured
11-29-2018 08:22 AM
TAC recently sent this in response to my case, so it's the next thing I'll be looking into:
"I have done an initial investigation of the running configuration in place, and I can see you have "Enforce GlobalProtect for Network Access" enabled, with "Captive Portal Exception Timeout" set to the default of 0 (no timeout).
"Please note that if the feature "Enforce GlobalProtect for Network Access" is enabled, GlobalProtect blocks all traffic until the agent is internal or connects to an external gateway, and thus the users are unable to access the Guest Wifi Portal.
Please configure the "Captive Portal Exception Timeout" to a specific value in seconds and run the test again."
"My Response:
Does this mean if I set the timer to say 300 seconds the tunnel won’t be locked down for 5 minutes? "
I think potentially I mis-understood this value. As I attributed it to Palo Alto's use case, but I'm thinking in-fact it's a general reference for exactly my use case.
Thoughts???
11-29-2018 08:25 AM
@Brandon_Wertz that is what I was thinking you may need to tweak, if you are using pre-logon/ user-logon then you should not need that enforce setting. I have not tried it in combination with captive portals but sounds like your culprit
11-29-2018 08:25 AM
@hshawn wrote:@Brandon_Wertz If the user is on the corp network why are they attempting to connect to the VPN using GP? 🙂 I think maybe I misunderstand your response?
No you weren't wrong. In the corporate office I used our own "Guest" network to replicate the exact issue seen at smiliar locations like a hotel or coffee shop. So users are "in the office" but not seen as such.
@hshawn wrote:We actually have a guest WiFi network here as well so I think I know what you mean. We are able to switch over to the guest wifi to test the VPN out but we spent a lot of time fine tunning to make sure it would work perfectly. PM me if you want to compare configs or something.
Here I can switch to guest wifi->captive portal comes up automatically->user clicks the accept button->has internet->GP connects to the VPN
Yeah I think this is the culprit.
11-29-2018 08:33 AM
@hshawn wrote:These settings may or may not help with your issues, this reduced our calls and complaints from people at hotels while traveling to zero
As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured
This was TAC's response:
"If you set it to 300 seconds, then once the Global Protect client detects a captive portal, it will allow the user 5 minutes to login, this time is also known as the grace period.
I hope this answers your question."
So yep I think both TAC and @hshawn have this solved. I'll need to get this approved to make the config change. Once I can get it implemented I'll update this thread.
11-29-2018 02:05 PM
When you have a start website in the browser(s) that uses HSTS - at least then it is fun 😛
12-03-2018 05:33 AM
@hshawn wrote:These settings may or may not help with your issues, this reduced our calls and complaints from people at hotels while traveling to zero
As far as GP not allowing the traffic to the portal that sounds like a config tweak that needs to be made, it should allow that unless otherwise configured
With TAC's similar suggestion I implemented these changes and it corrected the connection issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!