Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
05-22-2014 07:19 AM
Hello,
I have successfully configured a captive portal with NTLM authentication for User-ID and users are successfully authenticating using NTLM, but right after that they are stuck in a redirect loop on the following page:
User Authentication in Process
The original web page you requested will load when the authentication process completes.
Click here if the page does not load automatically.
Authentication Method: NTLM
I've seen the knowledgebase article for the similar problem, but i have enabled User-ID on both inside and outside interfaces (tried only on Inside as well) and still does not help.
Any ideas?
I can see that users are mapped to IP once they open the first page, but anyways they are stuck in the loop:
admin@PA-2050-1(active)> show user ip-user-mapping ip 10.XX.YY.169
IP address: 10.183.224.169 (vsys1)
User: xy1\snikolov
From: NTLM
Idle Timeout: 900s
Max. TTL: 3590s
Groups that the user belongs to (used in policy)
Group(s): cn=bg-sg tytyusers,ou=groups,ou=bg,dc=go1,dc=rtrt,dc=tyty,dc=com
05-22-2014 08:40 AM
Hello Blazarov,
Captive Portal Behavior
Captive portal will only be triggered by a session that matches the following criteria:
1) There is no user data for the source IP of the session
2) The session is HTTP traffic
3) The session matches a Captive Portal policy on the firewall
Captive Portal Redirect Steps
1) Web traffic from unknown IP that matches Web Form CP Policy
2) Traffic Redirected to L3 Interface
3) Firewall request credentials
- the same time firewall allocates cookie value (note that during first time allocation of cookie "Get Cookie and didn't find cookie" log message will appear on appweb3-l3svc.log
if "debug l3svc on debug" in turned on)
- Browser will save this cookie
for example Firefox under Preferences > Privacy > Firefox will: Use custom settings for history > Show cookies > Site (Cookie Name: PHPSESSID)
the PHPSESSID is the same value the PA Firewall use to check for session cookie if Captive Portal Session Cookie is enabled.
- Once the user-ip-mapping on the PA firewall times out of cleared manually Steps 1 - 2 will be repeated. Because of cookie Step 3 - 4 wont be necessary.
- In an event that the cookie is not present on the browser for some reason like corrupt cookie file the client won't be presented the Captive Portal Login Page because the firewall is still attempting to use the previous cookies. Manually removing the cookies on the browser might help.
4) Firewall authenticates user
5) User mapped and redirected to original address
Link below might be helpful
http://support.mozilla.org/en-US/kb/fix-login-issues-on-websites-require-passwords
Please try "Remove corrupt cookies file" on your test workstation to check if this will help.
Thanks
05-23-2014 03:09 AM
UPDATE:
today we've tried it with Mozilla and it works just fine.
So it must be something in the IE security settings. Tried clearing all cookies and browse history in IE - does not help. Tried with IE10 and IE11 - same issue.
Can someone guide me which security settings might cause such issue - successful NTLM auth, therefore successful IP-to-user mapping in PA, but still redirect loop after that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
