Captive Portal is not presented for wireless users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Captive Portal is not presented for wireless users

L6 Presenter

Hello All,

 

PA3020

PAN-OS 7.1.4-h2

 

Having a strange issue with Captive Portal on PA3020  where the captive portal just suddenly has stopped working. Did a management server restart, tested with the PC directly connected into the Guest-VLAN over the wire received a CP page and was able to surf the internet. Same VLAN on the other location (different building but same subnet),  same VLAN but this time mobile phone wirelessly no joy. CP URL can be resolved to the correct PA IP address but the page just not appearing (not presented by PA) so l cannot type username /password hence the user is unknown and no network/internet access. Where do l look for the logs in the tech support file? 

 

Can see some of the issues have been resolved in the next release but not sure if l am hitting one of the below bugs:

 

CP1.PNGCP2.PNGCP3.PNGCP4.PNG

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-5-addressed...

 

 

Thx,

Myky

1 accepted solution

Accepted Solutions

L6 Presenter

FYI @Raido_Rattameister

 

Was interesting one 🙂 But the issue was quite obvious. Palo is configured as syslog listener. It receives a syslog messages from the Kiwi syslog server (fed by Aerohive APs, 120 in total I think).  With TAC from the PCAP we could see that the unknown user is coming from the Kiwi as "username= no" syslog string but the Palo  syslog parser was mapping that user to "n". So in the end all users were mapped as "domain\n" username hence no CP was presented (as all users have ip addresses). Initially, we have configured ignore user with "domain\n", that didn't work (unknown users mapping time out still was refreshing by syslogs). Took off the domain and left an "n" only and that worked:

 

N.PNG

 

Thanks all for the help

 

EDIT: Upgrade device to the 7.1.9 didn't help

View solution in original post

12 REPLIES 12

Cyber Elite
Cyber Elite

Hey can you take laptop that works in first building to other one and see the result.

 

Some apps can interrupt captive portal. For example Skype and Dropbox.

 

If Skype is installed into device it sends constantly HTTP GET requests out.

Captive portal replies with 302 redirect every now and then because it does not like clients who DoS it.

And if you open browser it is rare occation that HTTP GET that got sent out by browser get's 302 to captive portal site.

 

Other thing is that if you don't decrypt SSL and user tries to load site over https then captive portal will not trigger etc.

 

So take laptop to other building and run Wireshark and compare output with packet capture taken on firewall.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

You can exclude those prolematic apps from Captive Portal.

Create custom URL category and exclude this category from Captive portal.

I think that in case of skype address was conn.ckype.com

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister thanks for the response

 

I was thinking about the PCAP, at least from the firewall side (in case l am trying with a mobile phone). I am just thinking if the CP presented by PA will l be able to see some traffic triggered from the phone (should do actually)...

 

Again all was working fine just suddenly stopped working 😄 (l don't like such situations). l also checked config audit on PA no changes were observed during the last month. 

 

What do you think about the bugs mentioned above? 

Yeah might be some bug if just stopped working. Last 2 for example in your list.

If it is not 24/7 environment then maybe can reboot box during offhours to save troubleshooting time.

 

If not then jump into logs.

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-Captive-Portal/ta-p/529...

 

If you decide to reboot firewall then always generate tech support file BEFORE reboot to save pre-reboot firewall state for TAC.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister l will check the logs. Have generated 2 tech support files before and after mgmt server restart so have some material to check for tomorrow morning. Thanks for article

L6 Presenter

@Raido_Rattameister  l cannot even locate the file:

 

> less mp-log appweb3-l3svc.log

 

Strange issue. Today did another test.  l was connected to the wifi with the same test PC, it is open SSID network without the authentication. So once l connected l can access resources locally and even withing the different zone where no auth required. Trying access the internet, the policy has a user-id enable with CP. Opening google.com,  dns works fine, traffic logs shows that the client is sending some bytes/packets to the Palo interface (Palo interface configured a CP portal as well as the default gateway for the clients). 0 packets sent back to the client, and PCAP shows all traffic is dropped. 

 

Then another test manually typing a CP URL into the Chrome as below:

 

http://guestportal.xxx
https://guestportal.xxx
http://10.128.32.1
https://10.128.32.1

none of the above work

 

CP.PNG

 

 

But l was suddenly redirected  when l typed random URL but this time l used 6082 port number:

 

https://guestportal.xxxx:6082/php/uid.php?vsys=1&url=http://www.bing.com%2fsearch%3fq%3dwireshark%26...

 

So Captive Portal has appeared and l was able to input my username/password and successfully was able to browse the internet. For some reasons, http and https requests are not getting redirected to the Captive Portal:

 

syn.PNG

 

Any thoughts guys?

 

Thx,

Myky

Just a wild guess - security policy drops traffic.

First policy shows client sending SYN out but nothing coming back.

For captive portal to work 3way handshake SYN, SYN ACK, ACK must complete to get to HTTP GET step.

 

Compare what traffic policy mathes when traffic is dropped and what policy it matches when you go to this random url that kicks in CP action.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L6 Presenter

@Raido_Rattameister thanks for the suggestions. Currently logged with TAC. Will post update later 

L6 Presenter

FYI @Raido_Rattameister

 

Was interesting one 🙂 But the issue was quite obvious. Palo is configured as syslog listener. It receives a syslog messages from the Kiwi syslog server (fed by Aerohive APs, 120 in total I think).  With TAC from the PCAP we could see that the unknown user is coming from the Kiwi as "username= no" syslog string but the Palo  syslog parser was mapping that user to "n". So in the end all users were mapped as "domain\n" username hence no CP was presented (as all users have ip addresses). Initially, we have configured ignore user with "domain\n", that didn't work (unknown users mapping time out still was refreshing by syslogs). Took off the domain and left an "n" only and that worked:

 

N.PNG

 

Thanks all for the help

 

EDIT: Upgrade device to the 7.1.9 didn't help

Thanks for update.

I would guess Monitor > Traffic marked "domain\n" correctly as Source user in logs during this issue?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes, it was mapped "correctly" for the different IPs with the same username "domain\n". 

Can you shoot me a how-to to get Kiwi working with the script Aerohive says works with Palo's API? I've been beating my head against the wall for some time now and cannot get kiwi to send the log to the Palo.

  • 1 accepted solution
  • 6225 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!