Avoiding Certificate Error With Captive Portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Avoiding Certificate Error With Captive Portal

L2 Linker

I was able to get Captive Portal setup successfully, but is there a way to prevent IE from complaining about a certificate error to get to the captive portal?  I probably won't be able to use it because of this error, it would be too confusing to some of my users.

Thanks for any help.

1 accepted solution

Accepted Solutions

In order to eliminate the errors you will need to install a cert that matches the IP address of the interface. Otherwise, the browser will still give certificate warnings.

Mike

View solution in original post

13 REPLIES 13

L4 Transporter

You will need to switch to redirect mode to remove the browser warnings. This allows the device to forward the browser to an interface IP address that will have a matching certificate and then, once properly authenticated, it will forward them back to the originally desired destination.

https://live.paloaltonetworks.com/docs/DOC-1516

Mike

I switched to redirect mode to 10.2.0.1, which is one of my L3 interfaces and I still receive a certificate error -- I've tried both a self generated certificate and using that Server Certificate and just leaving the Server Certificate blank.

I am seeing this in IE8, I don't have any other browsers installed on the machine I am testing with.

Any thing else I can try?

In order to eliminate the errors you will need to install a cert that matches the IP address of the interface. Otherwise, the browser will still give certificate warnings.

Mike

I did that.  Problem is that IE8 doesn't like the fact that it is a self-generated certificate, guess I am out of luck unless I want to purchase a certificate.

You don't necessarily need to purchase a cert, but you do need it to be a cert signed by a CA that your browsers trust. If you have a CA in place for creating certs for internal services, the same could be used for this. Alternatively, you could create a CA and tell your browsers to trust certs signed by it.

Mike

L2 Linker

PAM OS: 3.1.6

I use IE browser 8 for captvie portal but IE get cert very slowly. If I use firefox, It is OK.

Has captvie portal problems with IE 8?

Thank You

If you are using a self-signed certificate with Captive Portal and IE8 you will see slow page load times.

This is a browser issue. One way that you can solve this problem is by putting a valid cert on the Captive Portal and using redirect mode for Captive Portal.

For IE8, I found a problem. IE8 can not trust valid cert but other browser as Firefox can trust cert.

Have you ever found this issue? How solved?

Thank You

When you say "IE 8 cannot trust a valid cert" what does that mean exactly?

Public CA or Internal CA?

certificate details? (format, key length, etc etc)

What error(s)/symptom(s) does IE 8 display?

IE 8 display as ie_cp_error.jpg

If I use redirect mode for Captive Portal, NTLM required for CP or not.

I am using Radius authentication.

What a way for captive portal does without NTLM but Radius only?

Hi There,

You can just select an authentication profile, that you will have created for RADIUS.  This will allow Captive Portal to work with RADIUS and not NTLM - you need not select the User ID Agent in this case (you can leave it blank).

Thanks

James

L2 Linker

it should be of note that older browsers you could do this (redirect with a self signed) and there was no issue.

example if you take firefox 3 and try this it works with no errors.

however newer browsers wont allow a self signed certificate they will show errors, this is something that the browser manuifacture's have chosen to do to prevent macicious behavior. to "undo this feature" you would have to contact your browser manuifacture or google around for a way to defete this "protection" should you want to use a self signed cert....

ideally your not using a self signed certificate for this behavior as your complications go beyond firefox and IE ...aka BlackBerry Chrome Safari etc all of which will be enabling protection like this..

  • 1 accepted solution
  • 12125 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!