Captive Portal for Corporate devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal for Corporate devices

L0 Member

We have recently upgraded our HA firewall cluster (PA-3020) from 7.1.22 to 9.1.6 following the suggested upgrade path by PA.

We have captive portal in place, before the upgrade, all our corporate windows 10 laptops as soon as we power them on, they used to connect to our corporate Wi-Fi and allowed users to login as per normal.

Since the time we have upgraded the PAN-OS to 9.1.6, corporate laptops are not connecting to our desired wireless network straight away, there is a warning message on Wi-Fi network icon and it says "action needed", when we click on this, it gives an option to connect to that wireless network and then it goes ahead and connects.

 

We expect all our corporate devices to connect to our wireless network without having to go through this.

 

Could anyone suggest on this please? 

3 REPLIES 3

Cyber Elite
Cyber Elite

@UHL,

This isn't a function of the firewall, it's a function of Windows NLA and NCSI. Make sure that Windows can actually complete the connectivity tests to msftconnecttest or go through and disable NCSI probing.

@BPry 

Thanks for your response.

Yes, yesterday we did try disabling NCSI and NLA (active probing for internet) on one of the test laptop by editing the registry settings and that works good.

 

However, we would like to know if there is any way on Palo Alto we could get this working without being modifying the settings on all laptops

Also, I believe there is some difference to PAN-OS 7.1.22 compared to 9.1.6 in terms of behavior of the captive portal, as with 7.1.22 we used to have the laptops working without being NLA and NCSI disabled.

 

Any thoughts on this will be really helpful

 

@UHL,

That's where the second part of my above post comes in. You haven't been getting content updates for a while, so when you upgraded to 9.1 its possible your allowed app-ids changed and Windows can no longer pass a connectivity check. Make sure that Windows can actually perform a connectivity test prior to signing into the portal, because if it thinks your SSID has absolutely no internet access you'll get this prompt. 

  • 2064 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!