- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-23-2012 04:19 PM
Hello
I try PAN-OS 4.1.3, I use captive portal authentication with Radius/AD. I config user in WiFi zone access to any zone must authentication with captive portal. It work normally. But I try set Proxy server and user in WiFi Zone config Proxy IP into Internet Option. After that the user in WiFi zone can't access to any web becasue of the broswer doesn't redirect to captive portal authentication. Then I try to remove Proxy IP from Internet Option and test access web site. It redirect to captive portal page for authentication. Then I set Proxy IP into Internet Option. It can access to website pass through Proxy server normally.
Why I remove Proxy IP from Internet Option before authentication with captive portal?
How to config for this issue ?
02-23-2012 08:49 PM
Hi rmonvon
I use Ubuntu server install squid3 for my proxy server.
Regards.
Manaschai S.
02-23-2012 09:17 PM
Thank you for the info. It sounds like your configuration is sendding all traffic to the proxy server, including the captive portal session. I suggest that you defining a proxy bypass for the captive portal session such that the traffic is going direct. You can try using the captive portal 'redirect' option to a host and set the proxy bypass for this host.
02-24-2012 01:57 AM
Hi
I set the captive portal 'redirect' on Palo Alto network firewall and on squid3 I config
acl server src 10.100.100.0/24 <-- my server zone and Palo Alto firewall management interface
always_direct allow server
but it still not work. I found address of browser is "https://www.google.co.th:6082/php/uid.php?vsys=2&url=http://www.google.co.th". That change after I set above command on squid3 software but the broswer not show login page.
02-24-2012 11:56 AM
I am sorry but I don't understand what you mean by configuring 'redirect' on the proxy server and the 'acl server ...'.
My suggestion was to use 'redirect' on the PA device instead of 'transparent'. Once you select 'redirect', you also must define the 'redirect host' under the captive portal setting. When captive portal authenticates, the user will be forwarded to this 'redirect host' and this traffic should be direct (not going to your proxy server). So in the IE/FireFox browser, you will configure a proxy bypass for this 'redirect host'. The 'redirect host' should resolve to an IP address on the PA device but it should not be mgmt IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!