- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-29-2021 11:42 PM
Hi All,
I have an issue where captive portal isn't working in Chrome 92.0.4515-159 and Edge 92.0.902.84 after updating to PAN OS 10.1.2. Captive portal is still working in IE 11 and Firefox 91.0.2 though.
Receiving the below error in Chrome and a similar error in Edge:
Has anyone come across this issue? It seems as though it may be a bug? Any ideas?
09-23-2021 10:27 PM
@Nikko.Junia @BPry turns out the below command hadn't been run successfully by the client. I logged in and ran it, to triple check, and the issue is now resolved.
>configure
#set deviceconfig setting captive-portal disable-token
#commit
08-29-2021 11:53 PM
Further to that I have tried the below from the command from the changes to default behavior doc from PAN but seems to be to no avail.
08-30-2021 08:43 PM
That is Chrome's new Captive Portal connection screen. If you click on Connect does it actually present the Captive Portal page or not?
08-30-2021 11:09 PM
@BPry It does not present the captive portal. I have a further screen shot's from the client in Edge, but the same behavior occurs in Chrome (see below).
Workflow is:
1. Browse to google in Chrome or Edge
2. Redirects to the page below (picture 1)
3. Click connect and get a new tab which is blank (picture 2)
In IE it redirects to the captive portal page.
In Firefox you get a pop up warning about a security exception once accepted it redirects you to the captive portal.
I have also restarted the l3-service and cleared browser cache, decryption profile is only applied to some of the affected users, so don't think that's an issue. Don't think its a config issue as it works in IE and Firefox.
09-01-2021 07:59 PM
I haven't had a chance to try to duplicate this on any of my 10.1.2 VMs. It could be a bug that got introduced in 10.1.2, but if it is I haven't seen any reports about it yet.
09-01-2021 10:28 PM
@BPry OK thanks, if you are able to test that would be much appreciated as I don't have access to a 10.1.2 VM. Is there anything else you can think of that may be causing this?
09-05-2021 06:37 PM
@BPry I also asked the client to disable QUIC, but this hasn't made a difference. Client also mentioned that in Chrome and Edge the authentication form used to pop up in a window rather than the graphical PAN login page. Pop ups aren't being blocked by Chrome or Edge, but the issue remains.
Ran the below command while browsing to the captive portal from Chrome and received the below:
admin@firewall(active)> tail follow yes mp-log l3svc_ngx_error.log
2021/08/30 10:29:39 [alert] 21732#0: setrlimit(RLIMIT_NOFILE, 100000) failed (1: Operation not permitted)
2021-08-30 10:29:47.203 +1000 sysd worker[0]: ffe1980110: starting up...
2021-08-30 10:29:47.204 +1000 sysd worker[0]: ffe1980110: starting up...
2021/08/30 10:29:39 [alert] 21731#0: nginx connected to sysd! SUCCESS
2021/08/30 10:29:39 [alert] 21732#0: nginx connected to sysd! SUCCESS
2021-08-30 10:29:49.229 +1000 nginx worker process 21732, slot 1
2021-08-30 10:29:49.231 +1000 nginx worker process 21731, slot 0
2021/09/01 08:49:11 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/01 08:49:18 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/03 10:52:09 [error] 21732#0: *298567 directory index of "/var/html/" is forbidden, client: ::ffff:10.140.200.8, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
I am also seeing this error in the log I got from the TSF file. Any ideas?
Error: pan_compare_hmac(panos_addons/pan_l3svc_utils.c:2068): hmac is different!2021-08-25 10:30:30.776 +1000 Error: pan_parse_bc_params(panos_addons/pan_l3svc_utils.c:2520): hmac is different return NGX ERROR!
09-15-2021 02:09 AM
I jut recently had PAN TAC check this.
Apparently you need to disable the token for captive portal via CLI.
configure
set deviceconfig setting captive-portal disable-token yes
Hope it helps
09-15-2021 07:13 PM
Thanks @Nikko.Junia I had already tried that, but unfortunately to no avail. Did you have to do anything further after running that command?
@BPry I have also discovered that the client was using NTLM in PAN OS 9.1 which has been deprecated in 10.0 and above, so there NTLM config was blown away after the update, as they were not aware. They are now trying to implement Kerberos SSO. I performed a packet capture while they browsed to the captive portal and can see the below S2C flow in Wireshark, so am thinking this could be part of the issue. Is there any specific browser settings required for Kerberos SSO to work?
09-15-2021 07:22 PM
Before doing the command, PAN TAC advised that since service route was going through the management interface, they advised me to enable User-ID in the MGT interface but unfortunately, still the same issue . Then comes the command to disable the token in the Captive Portal and it worked.
09-16-2021 06:18 PM
Thanks @Nikko.Junia, so you can confirm that Chrome/Edge work with captive portal in PAN OS 10.1.2?
09-23-2021 10:27 PM
@Nikko.Junia @BPry turns out the below command hadn't been run successfully by the client. I logged in and ran it, to triple check, and the issue is now resolved.
>configure
#set deviceconfig setting captive-portal disable-token
#commit
10-17-2021 03:16 AM
Nice! It seems that other captive portals like Cisco Wi-Fi ones have this issue with the new edge and chrome as I was thinking it was Globalprotect VPN having issues but it is not.
11-12-2021 05:49 PM
Hi Team,
After implementing the below command do we need to re-boot the firewall
>configure
#set deviceconfig setting captive-portal disable-token
#commit
I had upgraded the device recently to 10.1.0 and facing the same issue even after running the above command.
Any thoughts on this.
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

