I have an issue where captive portal isn't working in Chrome 92.0.4515-159 and Edge 92.0.902.84 after updating to PAN OS 10.1.2. Captive portal is still working in IE 11 and Firefox 91.0.2 though.
Receiving the below error in Chrome and a similar error in Edge:
Has anyone come across this issue? It seems as though it may be a bug? Any ideas?
@BPry It does not present the captive portal. I have a further screen shot's from the client in Edge, but the same behavior occurs in Chrome (see below).
1. Browse to google in Chrome or Edge
2. Redirects to the page below (picture 1)
3. Click connect and get a new tab which is blank (picture 2)
In IE it redirects to the captive portal page.
In Firefox you get a pop up warning about a security exception once accepted it redirects you to the captive portal.
I have also restarted the l3-service and cleared browser cache, decryption profile is only applied to some of the affected users, so don't think that's an issue. Don't think its a config issue as it works in IE and Firefox.
@BPry I also asked the client to disable QUIC, but this hasn't made a difference. Client also mentioned that in Chrome and Edge the authentication form used to pop up in a window rather than the graphical PAN login page. Pop ups aren't being blocked by Chrome or Edge, but the issue remains.
Ran the below command while browsing to the captive portal from Chrome and received the below:
admin@firewall(active)> tail follow yes mp-log l3svc_ngx_error.log
2021/08/30 10:29:39 [alert] 21732#0: setrlimit(RLIMIT_NOFILE, 100000) failed (1: Operation not permitted)
2021-08-30 10:29:47.203 +1000 sysd worker: ffe1980110: starting up...
2021-08-30 10:29:47.204 +1000 sysd worker: ffe1980110: starting up...
2021/08/30 10:29:39 [alert] 21731#0: nginx connected to sysd! SUCCESS
2021/08/30 10:29:39 [alert] 21732#0: nginx connected to sysd! SUCCESS
2021-08-30 10:29:49.229 +1000 nginx worker process 21732, slot 1
2021-08-30 10:29:49.231 +1000 nginx worker process 21731, slot 0
2021/09/01 08:49:11 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/01 08:49:18 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/03 10:52:09 [error] 21732#0: *298567 directory index of "/var/html/" is forbidden, client: ::ffff:10.140.200.8, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
I am also seeing this error in the log I got from the TSF file. Any ideas?
Error: pan_compare_hmac(panos_addons/pan_l3svc_utils.c:2068): hmac is different!2021-08-25 10:30:30.776 +1000 Error: pan_parse_bc_params(panos_addons/pan_l3svc_utils.c:2520): hmac is different return NGX ERROR!
Thanks @Nikko.Junia I had already tried that, but unfortunately to no avail. Did you have to do anything further after running that command?
@BPry I have also discovered that the client was using NTLM in PAN OS 9.1 which has been deprecated in 10.0 and above, so there NTLM config was blown away after the update, as they were not aware. They are now trying to implement Kerberos SSO. I performed a packet capture while they browsed to the captive portal and can see the below S2C flow in Wireshark, so am thinking this could be part of the issue. Is there any specific browser settings required for Kerberos SSO to work?
Before doing the command, PAN TAC advised that since service route was going through the management interface, they advised me to enable User-ID in the MGT interface but unfortunately, still the same issue . Then comes the command to disable the token in the Captive Portal and it worked.
After implementing the below command do we need to re-boot the firewall
#set deviceconfig setting captive-portal disable-token
I had upgraded the device recently to 10.1.0 and facing the same issue even after running the above command.
Any thoughts on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!