This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive portal + decryption + squid: https problem.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive portal + decryption + squid: https problem.

okress
L1 Bithead

‎08-25-2016 06:19 AM

Hi,

I try to configure path for users to access the Internet. I use Palo Alto and squid. But not everything works as I expected.

The path:

user---Palo Alto ---squid ---Internet.

Squid is behind Palo Alto because of citrix users. I want to control citrix users access and in scenario: user---squid---Palo Alto--Internet, it's not possible. Squid changes source ports.

 

Captive portal and decryption are configured.

Everything works for unknown users who reach http. User authentication by kerberos protocol succeed. If known user opens https, traffic is decrypted and website is loaded correctly with certificate from Palo Alto.

But when unknown user tries to open https Palo Alto doesn't redirect him to captive portal.

On user station wireshark shows:

 

user: connect website:443

PA: 200 connection established

user: Client Hello

PA: Server Hello

PA: Certificate

user: Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request

PA: Change Cipher Spec, Encrypted Handshake Message

user:  Application Data (GET website)

PA: sometimes ACK.

 After this Palo Alto sends RST to squid and client station (Chomre shows connection reset), sometimes communication just stops (page loads into infinity)

 

PAN-OS 7.1.2

 

Tryed this with user-squid-PA-Internet, the same problem.

 

Any idea why this happens?

Thank you for any help.

 

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎08-25-2016 08:25 AM

Out of curiosity do you actually have a captive portal profile built out?

0 Likes Likes

okress
L1 Bithead
In response to BPry

‎08-25-2016 11:35 PM

I set up captive portal browser-challenge rule, enabled captive portal with SSL/TLS Service Profile and Authentication Profile in redirect mode, on zone enabled User Identification, on inteface set up management profile with permitted Response Pages.

I think thats all I need for captive portal.

 
0 Likes Likes

okress
L1 Bithead
In response to okress

‎08-31-2016 01:22 AM

After few tests I discoverd the problem occurs when https is tunneling. Maybe palo alto has problem with decryption and redirection when https goes via another port e.g. 8080.

0 Likes Likes
  • 1995 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks