Can not use captive portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can not use captive portal

L2 Linker

Good afternoon!

I'm configuring captive portal to authenticate user through Radius. I followed steps on How to Setup Radius Authentication for Captive Portal ( enable UI on source & destination interface => create Radius Server Profile and Radius Authentication Profile => enable Captive Portal on UI with that Radius Profile & Transparent mode => create Captive Portal policy (web-form action)) but it didn't work.

I've use the cli "test cp-policy-match source x.x.x.x destination y.y.y.y", the result is "No rule matched".

Please help me with what I've missed. I'm using PA 5060, PANOS 5.0.8, multiple virtual system environment. Thank you very much.

1 accepted solution

Accepted Solutions

Hi

That good news that it's working!

Please read this topic ending captive session with browser close

for information about logout.

Regards

SLawek

View solution in original post

17 REPLIES 17

L5 Sessionator

Hi,

Until you have this answer for the cp-policy command, that mean your cp policy doesn't match. Just check that under policy/Captiv Portal, your policy is correct.

Hope help.

V.

Thank you, VinceM. I checked several times, I confirm it's correct. I attach the rule, my laptop is 10.0.113.79, destination PC is 10.0.23.85.pa-captiveportal.png

L2 Linker

And another strange thing is when I type CLI "test cp-policy-match from ?" or "test cp-policy-match to ?", it only lists zones on only 1 virtual system. My system is in live production, inter-virtual system traffic are normal. I've just create a captive portal policy locally on 1 virtual system, test result is "No rule matched" too.

L4 Transporter

Hi

You mention about interface config (You enabled response page on source interface). What about zones?

Did You enabled "Enable User Identification" on source zone?

Please show Your seciruty polices that allowing traffic from source to destination.

Regards

Slawek

Thank you. I don't know where to enable response page on source interface. I've just enable on 2 place:

1. Network => Zones => I checked enable UI on all zones.

2. Device => UI => Captive Portal Settings => enabled with transparent mode.

Here's my security policies:

pa-captiveportal2.png

Hi

To enable response pages you should create separate management profile in Device>"Network Profiles">"Interface management" and attache them to source interface. In my device it looks like:

2014-01-09_120919.png

2014-01-09_120800.png

Ad1. That's not a good idea. Please enable only where it is needed! (where is CP or GP)

Ad2. For begining I recomendate use redirect option

You also haven't sec rule to allow unknow users connect to CP portal

2014-01-09_122404.png

Please take a look to How to Configure Captive Portal

Let me know that will help You or now.

With regards

Slawek

I checked Interface Management, it enabled Response Page on Source Interface. I changed to Redirect mode and added a security rule above allow users connect to CP portal but that's not work. The result is still "No rule matched" when using CLI testing.

First off all you should test it using webbrowser (I think). Is your browser redirected to CP webpage wne you try to open 10.0.23.85?

I can recomendate for testing try to configure access to internet resources, because it will verify also dns requests. In your situation problably you have a problem with resolving dns I guess.

Is your computer (10.0.113.79) able to open CP portal webpage? Do you have routing to 10.0.23.85? What is logged by "rule1"?

Regards

Slawek

I tested it using web-browser, I didn't see it redirected to another webpage when I was connecting to 10.0.23.85.

In my case, I want to authorize internal staffs, only authenticated staffs can vnc to 10.0.23.85.

Logs on "rule1" are denied vnc traffic from 10.0.113.79 to 10.0.23.85. When I disable "rule1", I can normally vnc to 10.0.23.85 because there's another rule below that allow vnc traffic. A strange thing is there is no log on "Allow_CP" rule although I've opened http://10.0.23.85, that http logs appear on another allowed rule which below "Allow_CP" rule.

I don't know how to open CP portal webpage. When I use web-browser to open the IP address of source interface, it returns connection timeout.

Hi

Please give us:

- screenshot of all your captive portal polices

- screenshot of Captive portal settings

- screenshot of ALL policies from zone wher is Your workstation to zone where is 10.0.23.85

Regards

Slawek

Here's my screenshot configuration except all policies.

debug-cp1.png

debug-cp2.png

debug-cp3.png

debug-cp4.png

debug-cp5.png

debug-cp6.png

In captive portal policy, I have only 1 rule for testing.

The 3 policies for cp testing are on top. They are at 2nd, 3rd, 4th rule in order of security rules. Below them, there're many rules that allow traffic from other zones to 10.0.23.0/24 zone.

Thank you very much.

First of all, You haven't server certificate for CP! and use dns name insted of IP

You must have generate it or take from ie startssl.com

My configuration look like:

2014-01-14_205339.png

Second problem, please take a look into my post.

1st rule is for "unknown" user and second for "known" user

In my opinion you should change:

2014-01-14_210103.png

If you want to make exeptions, You must do it in CP policies, something like:

2014-01-14_210601.png

After change please tell me wchich policy will handle traffic from Your PC to destination IP.

Regards

SLawek

On the picture of second problem, I have to configure "any" on your strikeout places, right ?

If yes, I'm afraid that it will affect my environment because there're other servers in 10.0.23.0/24 zone.

If no, I changed only source user to unknown, known-user in my security rules. That's not work. Here's logs:

debug-cp7.png

Thank you.

In this situation I'd recomendate to create separate zone and interface(subinterface) for testing. You have really big device so I think that isn't a problem to do that.

You sould first prepare tests in test evironment and when everything will work as you expeced you can adapt it to your production.

CP working to all sources/destination, exeptions you can make in CP polices not in Security polices (that's my opinion, maybe somone will correct me).

Did you try to open http://10.0.23.85 in a browser, that;s nessesary to redirect broser to CP portal. As I wrote before please start playing with regular http traffic and in next step try to manage other services.

Regards

Slawek

  • 1 accepted solution
  • 5664 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!