Captive Web Portal isn't working as expected

Reply
Highlighted
L0 Member

Captive Web Portal isn't working as expected

We're a school and have just started implimenting BYOD for our Students. Along with this is the requirement to Authenticate the users their BYOD devices so we can monitor and filter their web usage.

 

This is easily done with our PA-3050, or so we thought!

 

Our current setup is that our Student BYOD devices are in their own VLAN (known to the PA via the Zone of Wifi-Students).

These users have their own PPSK on our AeroHive Wireless which allows them access to the BYOD SSID.

 

While I have managed to get CWP and IP User Mapping to work (using https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/map-ip-addresses-to-username...), I'm finding the user experience isn't brilliant.

On iOS devices, the user connects to the SSID and instant iOS pops up a lightweight browser to show the CWP - except it doesn't. It just shows a blank screen with the message "Hotspot login could not open the page because the server stopped responding."

If the user closes the automatic window and select "Continue without Internet" they are then able to open Safari (or Chrome) and access the CWP by browsing to a URL (bbc.co.uk for example).

This works fine. The user can authenticate against the domain and PA maps the User to the IP.

The problem is that the user experience is pretty poor.

I've tried solutions such as -https://live.paloaltonetworks.com/t5/Management-Articles/Captive-Portal-Drops-the-Connection-for-iOS...

These just make the the error message go away. This feels like a fudge rather than a fix.

 

I have a similar issue on Windows devices. Users can connect, but they get no notification that they're behind a CWP and need to authenticate. It's not until they try to use the internet through a browser that they see the CWP.

 

I know from personal experience in hotels that Windows 10 can detect a CWP and automatically open a browser, so I don't know why it's not doing it on our PA appliance.

 

In order to get CWP working as above I have setup the following...

 

  • One Loopback Interface (172.16.16.1) in the "Wifi-Students" zone as the interface for CWP requests. This has a mgmt profile with response pages enabled.
  • One Loopback Interface (172.16.16.2) in the "Untrust" zone to be used as a DNS Proxy.
  • One DNS Proxy using 172.16.16.2 configured with Google DNS (8.8.8.8/8.8.4.4) and one static entry for cwp.ourdomain.org.uk.
  • Under Device > User Identification > Captive Portal Settings I have enabled the CWP and set it to be in Redirect pointing to cwp.ourdomain.org.uk.
  • On the DHCP for the BYOD devices I have set the primary DNS to be the DNS Proxy (172.16.16.2).
  • Created a CWP Policy with an action of "web-form" for any traffic from any address in "Wifi-Students" to any address in "Untrust".

This works...mostly. However as mentioned, the user experience isn't the best. As we're dealing with 1400 students (and 300 staff eventually) I'd prefer there to be less manual work involved from the user - aside from logging in!

 

Hotels and Cafés are able to get iOS, Windows and Android to automatically display the Captive Portal, so it's possible. I just can't work out how to do it on Palo.

 

Has anyone managed to solve this?

 

Highlighted
Cyber Elite

Neither of these are issues that PA can actually fix. The issue stems from the OS trying to mitigate MITM attacks and therefore many of these CWP solutions no longer work correctly due to the lack of a security cert on the device. iOS's login page is served by webkit and this will not load a page with a non-trusted cert, while safari gives them an option to bypass this issue. 

Windows is a little different in the manner that it won't ever show the notification about needing to sign in if you are again running an untrusted cert and the user already has the browser open or they navigate to a TLS encrypted site. You can read about Windows 10 specific CWP portals on pretty much all any Google Search and they will all go far more in-depth with the issue. 

 

 

Highlighted
L0 Member

I can understand why not having a cert would being a reason, however, we have a cert installed on the CWP matching the domain it points to (CWP is cwp.ourdomain.com - Cert is *.ourdomain.com) and we haven't enable SSL Decryption on this route yet either.

 

We aren't getting any errors about untrusted locations - if we browse to the CWP in Safari it loads the pge without complaining about untrusted cert. 

 

Same on Windows 10 devices - no complaints about untrusted certificates. It loads the CWP perfectly fine manually. Just not automatically as it should do.

 

 

 

 

Highlighted
Cyber Elite

Do you allow access to www.appleiphonecell.com and captive.apple.com, the users will need to be able to resolve both. I'm not sure that Palo Alto actually responds correctly to an iPhones wispr requests, but you could also try launching with just an http CWP instead of https, that was the fix with an old aerohive setup that I had a few years back. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!