Captive portal not working in Chrome and Edge after updating to PAN OS 10.1.2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive portal not working in Chrome and Edge after updating to PAN OS 10.1.2

L4 Transporter

Hi All,

 

I have an issue where captive portal isn't working in Chrome 92.0.4515-159 and Edge 92.0.902.84 after updating to PAN OS 10.1.2. Captive portal is still working in IE 11 and Firefox 91.0.2 though.

 

Receiving the below error in Chrome and a similar error in Edge:

CaptivePortal.PNG

Has anyone come across this issue? It seems as though it may be a bug? Any ideas?

18 REPLIES 18

Cyber Elite
Cyber Elite

@Ben-Price,

I haven't had a chance to try to duplicate this on any of my 10.1.2 VMs. It could be a bug that got introduced in 10.1.2, but if it is I haven't seen any reports about it yet. 

L4 Transporter

@BPry OK thanks, if you are able to test that would be much appreciated as I don't have access to a 10.1.2 VM. Is there anything else you can think of that may be causing this?

L4 Transporter

@BPry I also asked the client to disable QUIC, but this hasn't made a difference. Client also mentioned that in Chrome and Edge the authentication form used to pop up in a window rather than the graphical PAN login page. Pop ups aren't being blocked by Chrome or Edge, but the issue remains.

 

Ran the below command while browsing to the captive portal from Chrome and received the below:

 

admin@firewall(active)> tail follow yes mp-log l3svc_ngx_error.log
2021/08/30 10:29:39 [alert] 21732#0: setrlimit(RLIMIT_NOFILE, 100000) failed (1: Operation not permitted)
2021-08-30 10:29:47.203 +1000 sysd worker[0]: ffe1980110: starting up...
2021-08-30 10:29:47.204 +1000 sysd worker[0]: ffe1980110: starting up...
2021/08/30 10:29:39 [alert] 21731#0: nginx connected to sysd! SUCCESS
2021/08/30 10:29:39 [alert] 21732#0: nginx connected to sysd! SUCCESS
2021-08-30 10:29:49.229 +1000 nginx worker process 21732, slot 1
2021-08-30 10:29:49.231 +1000 nginx worker process 21731, slot 0
2021/09/01 08:49:11 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/01 08:49:18 [error] 21731#0: *146400 directory index of "/var/html/" is forbidden, client: ::ffff:10.120.200.68, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"
2021/09/03 10:52:09 [error] 21732#0: *298567 directory index of "/var/html/" is forbidden, client: ::ffff:10.140.200.8, server: , request: "GET / HTTP/1.1", host: "captiveportal.local:6082"

 

I am also seeing this error in the log I got from the TSF file. Any ideas?

 

Error: pan_compare_hmac(panos_addons/pan_l3svc_utils.c:2068): hmac is different!2021-08-25 10:30:30.776 +1000 Error: pan_parse_bc_params(panos_addons/pan_l3svc_utils.c:2520): hmac is different return NGX ERROR!

L0 Member

I jut recently had PAN TAC check this.

 

Apparently you need to disable the token for captive portal via CLI.

 

configure

set deviceconfig setting captive-portal disable-token yes

 

Hope it helps

L4 Transporter

Thanks @Nikko.Junia I had already tried that, but unfortunately to no avail. Did you have to do anything further after running that command?

@BPry I have also discovered that the client was using NTLM in PAN OS 9.1 which has been deprecated in 10.0 and above, so there NTLM config was blown away after the update, as they were not aware. They are now trying to implement Kerberos SSO. I performed a packet capture while they browsed to the captive portal and can see the below S2C flow in Wireshark, so am thinking this could be part of the issue. Is there any specific browser settings required for Kerberos SSO to work?

BenPrice_0-1631758015945.png

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!