Captive Portal in 4.0 is abnormal when PC running Win7 is updated

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Captive Portal in 4.0 is abnormal when PC running Win7 is updated

L4 Transporter

Hi,

I just want to know that there is anyone have the same experience ?

My customer's device was running PANOS 4.0.10, using Captive Portal, and working normal.

But, in the recent days, their PCs was updating then they could not open the Captive Portal page normal.

I cannot find any strange event or log in System Logs, Counters, or other records.

Please tell me how to troubshoot it or fix it if anyone know how to do it.

Deeply Appreciated,

Sample Wu

1 accepted solution

Accepted Solutions

Thanks ,

The root cause is KB2661254 and user has a certificate only 1024 bit for Captive Portal.

Thanks a lot!

Eugene Tsai

View solution in original post

6 REPLIES 6

L4 Transporter

Note :

The device is upgradeing to 4.1.8 and the situation is the same.

The situation are shown in Win7 and WInXP, not only Win7.

The browser are using IE, Chrome, and FireFox, but the problem is only shown on IE.

We found the problem is shown when the PC update the Microsoft's patch files.

If we remove it, the problem is gone.

Just add thei reference info, please help us.

Thanks,

Sample Wu

Could you please explain what do you mean by "could not open the Captive Portal page normal". Would you get certificate error page and can not go forward? Or what do you see instead of Captive portal Page. You said it was working fine and problem occurs when you update the patch.

1. Are there any spaces in the name of the certificate that you are using for Captive Portal?

2. Also under internet options Advanced go ahead and enable TLS 1.1, Apply, Ok and see if that make difference ? Thanks

tls_1.1.PNG

Dear ssharma,

Additional information,

The patch cause this problem is KB2736233. fyi!

Best Regards.

Eugene Tsai

At first I thought it could perhaps be that you use 1024 or lower for your SSL/TLS traffic which Microsoft has announced previously they would quit support for (I think SSL/TLS must be 2048 or higher from now on).

But looking at Microsoft Security Advisory (2736233): Update Rollup for ActiveX Kill Bits it only mentions:

"

Microsoft is releasing a new set of ActiveX kill bits with this advisory.

This update sets the kill bits for the following third-party software:

  • Cisco Secure Desktop. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Secure Desktop ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco Hostscan. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Hostscan ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco AnyConnect Secure Mobility Client. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco AnyConnect Secure Mobility Client ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.

"

Thanks ,

The root cause is KB2661254 and user has a certificate only 1024 bit for Captive Portal.

Thanks a lot!

Eugene Tsai

Nice that it got resolved 🙂

For future reference:

http://technet.microsoft.com/en-us/security/advisory/2661254

"

Microsoft Security Advisory (2661254)

Update For Minimum Certificate Key Length

Published: Tuesday, August 14, 2012 | Updated: Tuesday, October 09, 2012

Version: 2.0

General Information

Executive Summary

Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Note This update impacts applications and services that use RSA keys for cryptography and call into the CertGetCertificateChain function. These applications and services will no longer trust certificates with RSA keys less than 1024 bits in length. Examples of impacted applications and services include but are not limited to encrypted email, SSL/TLS encryption channels, signed applications, and private PKI environments. Certificates that use cryptographic algorithms other than RSA are not affected by this update. For more information about applications and services impacted by this update, see Microsoft Knowledge Base Article 2661254.

The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, as of October 9, 2012, this update is offered via automatic updating and through the Microsoft Update service.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Known Issues. Microsoft Knowledge Base Article 2661254 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

"

  • 1 accepted solution
  • 3177 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!