Can not use captive portal

TruongQuocAn · ‎01-09-2014

Good afternoon!

I'm configuring captive portal to authenticate user through Radius. I followed steps on How to Setup Radius Authentication for Captive Portal ( enable UI on source & destination interface => create Radius Server Profile and Radius Authentication Profile => enable Captive Portal on UI with that Radius Profile & Transparent mode => create Captive Portal policy (web-form action)) but it didn't work.

I've use the cli "test cp-policy-match source x.x.x.x destination y.y.y.y", the result is "No rule matched".

Please help me with what I've missed. I'm using PA 5060, PANOS 5.0.8, multiple virtual system environment. Thank you very much.

_slv_ · ‎01-21-2014

Hi

That good news that it's working!

Please read this topic ending captive session with browser close

for information about logout.

Regards

SLawek

View solution in original post

VinceM · ‎01-09-2014

Hi,

Until you have this answer for the cp-policy command, that mean your cp policy doesn't match. Just check that under policy/Captiv Portal, your policy is correct.

Hope help.

V.

TruongQuocAn · ‎01-09-2014

Thank you, VinceM. I checked several times, I confirm it's correct. I attach the rule, my laptop is 10.0.113.79, destination PC is 10.0.23.85.

TruongQuocAn · ‎01-09-2014

And another strange thing is when I type CLI "test cp-policy-match from ?" or "test cp-policy-match to ?", it only lists zones on only 1 virtual system. My system is in live production, inter-virtual system traffic are normal. I've just create a captive portal policy locally on 1 virtual system, test result is "No rule matched" too.

_slv_ · ‎01-09-2014

Hi

You mention about interface config (You enabled response page on source interface). What about zones?

Did You enabled "Enable User Identification" on source zone?

Please show Your seciruty polices that allowing traffic from source to destination.

Regards

Slawek

TruongQuocAn · ‎01-09-2014

Thank you. I don't know where to enable response page on source interface. I've just enable on 2 place:

1. Network => Zones => I checked enable UI on all zones.

2. Device => UI => Captive Portal Settings => enabled with transparent mode.

Here's my security policies:

_slv_ · ‎01-09-2014

Hi

To enable response pages you should create separate management profile in Device>"Network Profiles">"Interface management" and attache them to source interface. In my device it looks like:

Ad1. That's not a good idea. Please enable only where it is needed! (where is CP or GP)

Ad2. For begining I recomendate use redirect option

You also haven't sec rule to allow unknow users connect to CP portal

Please take a look to How to Configure Captive Portal

Let me know that will help You or now.

With regards

Slawek

TruongQuocAn · ‎01-09-2014

I checked Interface Management, it enabled Response Page on Source Interface. I changed to Redirect mode and added a security rule above allow users connect to CP portal but that's not work. The result is still "No rule matched" when using CLI testing.

_slv_ · ‎01-10-2014

First off all you should test it using webbrowser (I think). Is your browser redirected to CP webpage wne you try to open 10.0.23.85?

I can recomendate for testing try to configure access to internet resources, because it will verify also dns requests. In your situation problably you have a problem with resolving dns I guess.

Is your computer (10.0.113.79) able to open CP portal webpage? Do you have routing to 10.0.23.85? What is logged by "rule1"?

Regards

Slawek

TruongQuocAn · ‎01-12-2014

I tested it using web-browser, I didn't see it redirected to another webpage when I was connecting to 10.0.23.85.

In my case, I want to authorize internal staffs, only authenticated staffs can vnc to 10.0.23.85.

Logs on "rule1" are denied vnc traffic from 10.0.113.79 to 10.0.23.85. When I disable "rule1", I can normally vnc to 10.0.23.85 because there's another rule below that allow vnc traffic. A strange thing is there is no log on "Allow_CP" rule although I've opened http://10.0.23.85, that http logs appear on another allowed rule which below "Allow_CP" rule.

I don't know how to open CP portal webpage. When I use web-browser to open the IP address of source interface, it returns connection timeout.

_slv_ · ‎01-13-2014

Hi

Please give us:

- screenshot of all your captive portal polices

- screenshot of Captive portal settings

- screenshot of ALL policies from zone wher is Your workstation to zone where is 10.0.23.85

Regards

Slawek

TruongQuocAn · ‎01-14-2014

Here's my screenshot configuration except all policies.

In captive portal policy, I have only 1 rule for testing.

The 3 policies for cp testing are on top. They are at 2nd, 3rd, 4th rule in order of security rules. Below them, there're many rules that allow traffic from other zones to 10.0.23.0/24 zone.

Thank you very much.

_slv_ · ‎01-14-2014

First of all, You haven't server certificate for CP! and use dns name insted of IP

You must have generate it or take from ie startssl.com

My configuration look like:

Second problem, please take a look into my post.

1st rule is for "unknown" user and second for "known" user

In my opinion you should change:

If you want to make exeptions, You must do it in CP policies, something like:

After change please tell me wchich policy will handle traffic from Your PC to destination IP.

Regards

SLawek

TruongQuocAn · ‎01-15-2014

On the picture of second problem, I have to configure "any" on your strikeout places, right ?

If yes, I'm afraid that it will affect my environment because there're other servers in 10.0.23.0/24 zone.

If no, I changed only source user to unknown, known-user in my security rules. That's not work. Here's logs:

Thank you.

_slv_ · ‎01-16-2014

In this situation I'd recomendate to create separate zone and interface(subinterface) for testing. You have really big device so I think that isn't a problem to do that.

You sould first prepare tests in test evironment and when everything will work as you expeced you can adapt it to your production.

CP working to all sources/destination, exeptions you can make in CP polices not in Security polices (that's my opinion, maybe somone will correct me).

Did you try to open http://10.0.23.85 in a browser, that;s nessesary to redirect broser to CP portal. As I wrote before please start playing with regular http traffic and in next step try to manage other services.

Regards

Slawek

Unlock your full community experience!

Can not use captive portal

Can not use captive portal

Show your appreciation!