12-19-2016 06:46 AM - edited 12-19-2016 07:05 AM
We're a school and have just started implimenting BYOD for our Students. Along with this is the requirement to Authenticate the users their BYOD devices so we can monitor and filter their web usage.
This is easily done with our PA-3050, or so we thought!
Our current setup is that our Student BYOD devices are in their own VLAN (known to the PA via the Zone of Wifi-Students).
These users have their own PPSK on our AeroHive Wireless which allows them access to the BYOD SSID.
While I have managed to get CWP and IP User Mapping to work (using https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/map-ip-addresses-to-username...), I'm finding the user experience isn't brilliant.
On iOS devices, the user connects to the SSID and instant iOS pops up a lightweight browser to show the CWP - except it doesn't. It just shows a blank screen with the message "Hotspot login could not open the page because the server stopped responding."
If the user closes the automatic window and select "Continue without Internet" they are then able to open Safari (or Chrome) and access the CWP by browsing to a URL (bbc.co.uk for example).
This works fine. The user can authenticate against the domain and PA maps the User to the IP.
The problem is that the user experience is pretty poor.
I've tried solutions such as -https://live.paloaltonetworks.com/t5/Management-Articles/Captive-Portal-Drops-the-Connection-for-iOS...
These just make the the error message go away. This feels like a fudge rather than a fix.
I have a similar issue on Windows devices. Users can connect, but they get no notification that they're behind a CWP and need to authenticate. It's not until they try to use the internet through a browser that they see the CWP.
I know from personal experience in hotels that Windows 10 can detect a CWP and automatically open a browser, so I don't know why it's not doing it on our PA appliance.
In order to get CWP working as above I have setup the following...
This works...mostly. However as mentioned, the user experience isn't the best. As we're dealing with 1400 students (and 300 staff eventually) I'd prefer there to be less manual work involved from the user - aside from logging in!
Hotels and Cafés are able to get iOS, Windows and Android to automatically display the Captive Portal, so it's possible. I just can't work out how to do it on Palo.
Has anyone managed to solve this?
12-19-2016 07:48 AM
Neither of these are issues that PA can actually fix. The issue stems from the OS trying to mitigate MITM attacks and therefore many of these CWP solutions no longer work correctly due to the lack of a security cert on the device. iOS's login page is served by webkit and this will not load a page with a non-trusted cert, while safari gives them an option to bypass this issue.
Windows is a little different in the manner that it won't ever show the notification about needing to sign in if you are again running an untrusted cert and the user already has the browser open or they navigate to a TLS encrypted site. You can read about Windows 10 specific CWP portals on pretty much all any Google Search and they will all go far more in-depth with the issue.
12-20-2016 01:32 AM
I can understand why not having a cert would being a reason, however, we have a cert installed on the CWP matching the domain it points to (CWP is cwp.ourdomain.com - Cert is *.ourdomain.com) and we haven't enable SSL Decryption on this route yet either.
We aren't getting any errors about untrusted locations - if we browse to the CWP in Safari it loads the pge without complaining about untrusted cert.
Same on Windows 10 devices - no complaints about untrusted certificates. It loads the CWP perfectly fine manually. Just not automatically as it should do.
12-20-2016 07:15 AM
Do you allow access to www.appleiphonecell.com and captive.apple.com, the users will need to be able to resolve both. I'm not sure that Palo Alto actually responds correctly to an iPhones wispr requests, but you could also try launching with just an http CWP instead of https, that was the fix with an old aerohive setup that I had a few years back.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
