08-23-2021 10:22 AM - edited 08-23-2021 11:04 AM
I have configured Captive Portal with MFA and it works fine when the user traffic is originated from Untrust side of the firewall. When the URL "https://<firewall name>:6082/php/uid.php?vsys=1&rule=0" access from one of the internal zones (e.g.) Trust, it does not work. I have user-identification enabled on all zones.
User from outside of firewall -> captive portal URL on untrust interface -> [Works fine]
User from inside of firewall -> trust -> captive portal URL on untrust interface [Does not work]. Ping works fine.
I tried packet capture and could only see SYN packets. Ping works fine. The firewall is also configured to allow non-syn tcp. There is no return traffic or 0 bytes for the traffic received. Intra-zone and security policies are configured to allow as well. Packet capture shows drop file created with SYN packets only.
No NAT involved. All internal configuration.
Any suggestion?
09-07-2021 11:17 AM
I managed to resolve the issue. The untrust interface had "Response Pages" option enabled for the interface mgmt. profile. The option is required for the Captive Portal redirection to work. It worked fine for all external users. Since in this case, the traffic was originated from inside of the firewall zone, the inside zone was hit first. I had to update the interface mgmt profile applied to the inside interface and enable "Response Pages" enabled. This helped systems from inside zone to hit the captive portal page.
08-23-2021 01:48 PM
Is there a chance the browser is using DNS over HTTPS? DoT we can see into if decrypted, but many browsers default to DoH nowadays and I've fixed a few website resolution issues from internal zones this way.
08-24-2021 01:11 AM
I have the same problem as you and have opened a ticket (Case 01900506).
A solution to the problem is still pending.
09-07-2021 11:17 AM
I managed to resolve the issue. The untrust interface had "Response Pages" option enabled for the interface mgmt. profile. The option is required for the Captive Portal redirection to work. It worked fine for all external users. Since in this case, the traffic was originated from inside of the firewall zone, the inside zone was hit first. I had to update the interface mgmt profile applied to the inside interface and enable "Response Pages" enabled. This helped systems from inside zone to hit the captive portal page.
09-07-2021 11:18 AM
@LAYER_8 Please check the accepted solution I posted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
