Captive portal URL not working when accessed from inside zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive portal URL not working when accessed from inside zone

L4 Transporter

I have configured Captive Portal with MFA and it works fine when the user traffic is originated from Untrust side of the firewall. When the URL "https://<firewall  name>:6082/php/uid.php?vsys=1&rule=0" access from one of the internal zones (e.g.) Trust, it does not work. I have user-identification enabled on all zones.

 

User from outside of firewall -> captive portal URL on untrust interface -> [Works fine]

User from inside of firewall -> trust -> captive portal URL on untrust interface [Does not work]. Ping works fine.

 

I tried packet capture and could only see SYN packets. Ping works fine. The firewall is also configured to allow non-syn tcp. There is no return traffic or 0 bytes for the traffic received. Intra-zone and security policies are configured to allow as well. Packet capture shows drop file created with SYN packets only.

 

No NAT involved. All internal configuration.

 

Any suggestion?

1 accepted solution

Accepted Solutions

L4 Transporter

I managed to resolve the issue. The untrust interface had "Response Pages" option enabled for the interface mgmt. profile. The option is required for the Captive Portal redirection to work. It worked fine for all external users. Since in this case, the traffic was originated from inside of the firewall zone, the inside zone was hit first. I had to update the interface mgmt profile applied to the inside interface and enable "Response Pages" enabled. This helped systems from inside zone to hit the captive portal page.

View solution in original post

4 REPLIES 4

L5 Sessionator

Is there a chance the browser is using DNS over HTTPS? DoT we can see into if decrypted, but many browsers default to DoH nowadays and I've fixed a few website resolution issues from internal zones this way. 

Help the community! Add tags and mark solutions please.

L0 Member

I have the same problem as you and have opened a ticket (Case 01900506).
A solution to the problem is still pending.

L4 Transporter

I managed to resolve the issue. The untrust interface had "Response Pages" option enabled for the interface mgmt. profile. The option is required for the Captive Portal redirection to work. It worked fine for all external users. Since in this case, the traffic was originated from inside of the firewall zone, the inside zone was hit first. I had to update the interface mgmt profile applied to the inside interface and enable "Response Pages" enabled. This helped systems from inside zone to hit the captive portal page.

@LAYER_8 Please check the accepted solution I posted.

  • 1 accepted solution
  • 5959 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!