This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive Portal in 4.0 is abnormal when PC running Win7 is updated

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Captive Portal in 4.0 is abnormal when PC running Win7 is updated

Go to solution
paloalto.netfos
L4 Transporter

‎10-11-2012 05:53 PM

Hi,

I just want to know that there is anyone have the same experience ?

My customer's device was running PANOS 4.0.10, using Captive Portal, and working normal.

But, in the recent days, their PCs was updating then they could not open the Captive Portal page normal.

I cannot find any strange event or log in System Logs, Counters, or other records.

Please tell me how to troubshoot it or fix it if anyone know how to do it.

Deeply Appreciated,

Sample Wu

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
EugeneTsai
Not applicable
In response to mikand

‎10-15-2012 10:56 PM

Thanks ,

The root cause is KB2661254 and user has a certificate only 1024 bit for Captive Portal.

Thanks a lot!

Eugene Tsai

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
paloalto.netfos
L4 Transporter

‎10-11-2012 06:14 PM

Note :

The device is upgradeing to 4.1.8 and the situation is the same.

The situation are shown in Win7 and WInXP, not only Win7.

The browser are using IE, Chrome, and FireFox, but the problem is only shown on IE.

We found the problem is shown when the PC update the Microsoft's patch files.

If we remove it, the problem is gone.

Just add thei reference info, please help us.

Thanks,

Sample Wu

0 Likes Likes

Go to solution
ssharma
L5 Sessionator
In response to paloalto.netfos

‎10-11-2012 08:30 PM

Could you please explain what do you mean by "could not open the Captive Portal page normal". Would you get certificate error page and can not go forward? Or what do you see instead of Captive portal Page. You said it was working fine and problem occurs when you update the patch.

1. Are there any spaces in the name of the certificate that you are using for Captive Portal?

2. Also under internet options Advanced go ahead and enable TLS 1.1, Apply, Ok and see if that make difference ? Thanks

tls_1.1.PNG

0 Likes Likes

Go to solution
EugeneTsai
Not applicable
In response to ssharma

‎10-14-2012 07:53 PM

Dear ssharma,

Additional information,

The patch cause this problem is KB2736233. fyi!

Best Regards.

Eugene Tsai

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to EugeneTsai

‎10-15-2012 08:09 PM

At first I thought it could perhaps be that you use 1024 or lower for your SSL/TLS traffic which Microsoft has announced previously they would quit support for (I think SSL/TLS must be 2048 or higher from now on).

But looking at Microsoft Security Advisory (2736233): Update Rollup for ActiveX Kill Bits it only mentions:

"

Microsoft is releasing a new set of ActiveX kill bits with this advisory.

This update sets the kill bits for the following third-party software:

  • Cisco Secure Desktop. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Secure Desktop ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco Hostscan. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Hostscan ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco AnyConnect Secure Mobility Client. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco AnyConnect Secure Mobility Client ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.

"

0 Likes Likes

Go to solution
EugeneTsai
Not applicable
In response to mikand

‎10-15-2012 10:56 PM

Thanks ,

The root cause is KB2661254 and user has a certificate only 1024 bit for Captive Portal.

Thanks a lot!

Eugene Tsai

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to EugeneTsai

‎10-16-2012 12:42 AM

Nice that it got resolved 🙂

For future reference:

http://technet.microsoft.com/en-us/security/advisory/2661254

"

Microsoft Security Advisory (2661254)

Update For Minimum Certificate Key Length

Published: Tuesday, August 14, 2012 | Updated: Tuesday, October 09, 2012

Version: 2.0

General Information

Executive Summary

Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Note This update impacts applications and services that use RSA keys for cryptography and call into the CertGetCertificateChain function. These applications and services will no longer trust certificates with RSA keys less than 1024 bits in length. Examples of impacted applications and services include but are not limited to encrypted email, SSL/TLS encryption channels, signed applications, and private PKI environments. Certificates that use cryptographic algorithms other than RSA are not affected by this update. For more information about applications and services impacted by this update, see Microsoft Knowledge Base Article 2661254.

The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, as of October 9, 2012, this update is offered via automatic updating and through the Microsoft Update service.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Known Issues. Microsoft Knowledge Base Article 2661254 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

"

0 Likes Likes
  • 1 accepted solution
  • 3173 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks