Captive portal not working in Chrome and Edge after updating to PAN OS 10.1.2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive portal not working in Chrome and Edge after updating to PAN OS 10.1.2

L4 Transporter

Hi All,

 

I have an issue where captive portal isn't working in Chrome 92.0.4515-159 and Edge 92.0.902.84 after updating to PAN OS 10.1.2. Captive portal is still working in IE 11 and Firefox 91.0.2 though.

 

Receiving the below error in Chrome and a similar error in Edge:

CaptivePortal.PNG

Has anyone come across this issue? It seems as though it may be a bug? Any ideas?

1 accepted solution

Accepted Solutions

L4 Transporter

@Nikko.Junia @BPry turns out the below command hadn't been run successfully by the client. I logged in and ran it, to triple check, and the issue is now resolved.

 

>configure

#set deviceconfig setting captive-portal disable-token

#commit

View solution in original post

18 REPLIES 18

L4 Transporter

Further to that I have tried the below from the command from the changes to default behavior doc from PAN but seems to be to no avail.

BenPrice_0-1630306258938.png

 

Cyber Elite
Cyber Elite

@Ben-Price,

That is Chrome's new Captive Portal connection screen. If you click on Connect does it actually present the Captive Portal page or not? 

@BPry It does not present the captive portal. I have a further screen shot's from the client in Edge, but the same behavior occurs in Chrome (see below). 

 

Workflow is:

1. Browse to google in Chrome or Edge

2. Redirects to the page below (picture 1)

3. Click connect and get a new tab which is blank (picture 2)

1.PNG

 

BenPrice_0-1630389454776.png

In IE it redirects to the captive portal page.

In Firefox you get a pop up warning about a security exception once accepted it redirects you to the captive portal.

 

I have also restarted the l3-service and cleared browser cache, decryption profile is only applied to some of the affected users, so don't think that's an issue. Don't think its a config issue as it works in IE and Firefox. 

 

 

L4 Transporter

@BPry Are you able to provide any further feedback here?

 

Thanks in advance.

Cyber Elite
Cyber Elite

@Ben-Price,

I haven't had a chance to try to duplicate this on any of my 10.1.2 VMs. It could be a bug that got introduced in 10.1.2, but if it is I haven't seen any reports about it yet. 

L4 Transporter

@BPry OK thanks, if you are able to test that would be much appreciated as I don't have access to a 10.1.2 VM. Is there anything else you can think of that may be causing this?

L4 Transporter

@BPry I also asked the client to disable QUIC, but this hasn't made a difference. Client also mentioned that in Chrome and Edge the authentication form used to pop up in a window rather than the graphical PAN login page. Pop ups aren't being blocked by Chrome or Edge, but the issue remains.

 

Ran the below command while browsing to the captive portal from Chrome and received the below:

 

admin@firewall(active)> tail follow yes mp-log l3svc_ngx_error.log
2021/08/30 10:29:39 [alert] 21732#0: setrlimit(RLIMIT_NOFILE, 100000) failed (1: Operation not permitted)
2021-08-30 10:29:47.203 +1000 sysd worker[0]: ffe1980110: starting up...
2021-08-30 10:29:47.204 +1000 sysd worker[0]: ffe1980110: starting up...
2021/08/30 10:29:39 [alert] 21731#0: nginx connected to sysd! SUCCESS
2021/08/30 10:29:39 [alert] 21732#0: nginx connected to sysd! SUCCESS
2021-08-30 10:29:49.229 +1000 nginx worker process 21732, slot 1
2021-08-30 10:29:49.231 +1000 nginx worker process 21731, slot 0
2021/09/01 08:49:11 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/01 08:49:18 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/03 10:52:09 [error] 21732#0: *298567 directory index of "/var/html/" is forbidden, client: ::ffff:10.140.200.8, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"

 

I am also seeing this error in the log I got from the TSF file. Any ideas?

 

Error: pan_compare_hmac(panos_addons/pan_l3svc_utils.c:2068): hmac is different!2021-08-25 10:30:30.776 +1000 Error: pan_parse_bc_params(panos_addons/pan_l3svc_utils.c:2520): hmac is different return NGX ERROR!

L0 Member

I jut recently had PAN TAC check this.

 

Apparently you need to disable the token for captive portal via CLI.

 

configure

set deviceconfig setting captive-portal disable-token yes

 

Hope it helps

L4 Transporter

Thanks @Nikko.Junia I had already tried that, but unfortunately to no avail. Did you have to do anything further after running that command?

@BPry I have also discovered that the client was using NTLM in PAN OS 9.1 which has been deprecated in 10.0 and above, so there NTLM config was blown away after the update, as they were not aware. They are now trying to implement Kerberos SSO. I performed a packet capture while they browsed to the captive portal and can see the below S2C flow in Wireshark, so am thinking this could be part of the issue. Is there any specific browser settings required for Kerberos SSO to work?

BenPrice_0-1631758015945.png

 

Before doing the command, PAN TAC advised that since service route was going through the management interface, they advised me to enable User-ID in the MGT interface but unfortunately, still the same issue . Then comes the command to disable the token in the Captive Portal and it worked.

L4 Transporter

Thanks @Nikko.Junia, so you can confirm that Chrome/Edge work with captive portal in PAN OS 10.1.2?

L4 Transporter

@Nikko.Junia @BPry turns out the below command hadn't been run successfully by the client. I logged in and ran it, to triple check, and the issue is now resolved.

 

>configure

#set deviceconfig setting captive-portal disable-token

#commit

L6 Presenter

Nice! It seems that other captive portals like Cisco Wi-Fi ones have this issue with the new edge and chrome as I was thinking it was Globalprotect VPN having issues but it is not.

L3 Networker

Hi Team,

 

After implementing the below command do we need to re-boot the firewall 

 

>configure

#set deviceconfig setting captive-portal disable-token

#commit

 

I had upgraded the device recently to 10.1.0 and facing the same issue even after running the above command.

 

Any thoughts on this.

 

@Nikko.Junia @Ben-Price 

  • 1 accepted solution
  • 13408 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!