Chrome Bypassing Captive Portal for Google Services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Chrome Bypassing Captive Portal for Google Services

L2 Linker

Hi,

PANOS 4.1.6

Client OS: Windows 7

Client Browser: Google Chrome 21.0.1180.89

I have PAN running with CaptivePortal (Public Certificate with AD Auth profile). Everything works fine when I use Firefox, Chrome and IE (in the case of IE except for the small hitch discussed here in this forum when running on Windows7). I am prompted to Authenticate WebForm without any certificate warning etc etc. How ever when I try gmail.com in chrome (and only in chrome it happens), it simply takes me through and lets me login to gmail and do what ever I want to. Its true for certain other google Apps services ( like Chrome WebStore, Google Analytics etc) too. CaptivePortal is running on Redirect mode on the Trust Interface (l3)

Any thoughts please?

Cheers.

1 accepted solution

Accepted Solutions

Unfortunatly no : to be able to send broswer to a portal page,the firewall must rewrite HTTP answer ; it's obviously not possible when stream is encrypted with SSL, unless you enable SSL Decryption which allows PA to see real clear text traffic.

Also, SSL Decryption has many fallbacks and problems so I currently disabled it on Google services because of incompatibilities ; but it's achievable with with a lot of work.

I suggest you start playing with User Agent (reads Windows logon events in DomainController) or GlobalProtect Portal .

View solution in original post

18 REPLIES 18

L4 Transporter

What's your captive portal policy and security policy look like?

Hi,

CP Rule is

from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal

from Trust Any           -> to Untrust any      any      services http/https/ftp      no-captive-portal

Security Rule is

From Trust Any Any to Untrust Any Any DENY p2p-apps  No-Profiles

From Trust Any Any to Untrust Any Any ALLOW Any       Profiles

Thanks

Did you enable SSL Decryption ? If not, when HTTPS is used, CaptivePortal will be ignored

Hello umphmharding,


I have done some more tweaking to see to it further to my earlier post mentioning CP and Security rules which you asked for. Now as an update to that, what I have done is created a top rule blocking ALL applications from Trust to Untrust for 'Unknown' users. This now helps me block all traffic unless properly authenticated with CaptivePortal. How ever interestingly if now Chrome Browser is launched and try accessing gmail or similar google Apps service,  browser simply does NOT take me anywhere neither to captive portal. Again if I access some other site and then I am promped with CP, authenticate myself and everything goes smooth.


So looks like something got to do the way chrome intiates its session with Google services???


Thanks


Your rule "from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal" will be ignored on SSL (HTTPS) if you don't have SSL Decryption enabled.

I did that before. But if I do enable it, then I run to warning page problems as I dont have an internal CA.

But again if what you said is the case, why is that other browsers (FF and IE) taking me to CP when I access the same gmail services?

Thanks

The very first connection of your browser of the one that counts : is it possible that you open HTTP instead of HTTPS with Chrome while not with IE and FF ?

In my company, Chrome defaults connection Google with HTTPS .

If you take a Wireshark trace (1 for each browser) you will see what kind of connection is doing each browser.

For SSL Decryption : yes get errors if you don't invest a lot of time to set it up propely.

OK, I change the rule to from Trust VLAN 20    -> to Untrust any      any      services http/https/ftp      captive-portal" to a new rule as below


from Trust VLAN 20    -> to Untrust any      any      services  ANY      captive-portal"


I also enabled SSL Decrypt now and the situation is that it (chrome) still does not take me to the CP page, instead takes to the certificate warning page, which means my SSL Decrypt rule is in place. But as before, all other browsers gets be to the CP.

If other browsers aren't complaining about Certificates, it means that they aren't being concerned by SSL decryption rule (so they aren't using HTTPS?)

Again, I think that if you want to make sure, you should get 1 Wireshark network capture for each browser, you will get a quick and 100% sure answer.

You are right...So Chrome takes directly to the https, where in other browsers are not. I was about to wireshark, but then I figured out from the URL seen on the CP..

So that means if the user tries an HTTPS Site the very first time and if I dont have SSL Decrypt enabled, CP is of no use? Getting internal CA wont be an easy way for now. So Isn't there a way work around to serve the purpose with out SSL Decrypt pls?

Unfortunatly no : to be able to send broswer to a portal page,the firewall must rewrite HTTP answer ; it's obviously not possible when stream is encrypted with SSL, unless you enable SSL Decryption which allows PA to see real clear text traffic.

Also, SSL Decryption has many fallbacks and problems so I currently disabled it on Google services because of incompatibilities ; but it's achievable with with a lot of work.

I suggest you start playing with User Agent (reads Windows logon events in DomainController) or GlobalProtect Portal .

Hmm.. I get that now. Thanks.

Could be silly, but I am wondering if I could prompt the 'unknown'  user with a URL Category blocked page (for any site he visits as long as he is unknown), I could atleast customize the blocked page to ask the to click on an http link there where he is then taken to CP, where he athenticates and then things work they way we wanted...I am yet to go through the various rule bases processing flow...But does this make any sense to you?

When visiting SSL (HTTPS) you can only 'cut' connection if you don't decrypt it, you cannot provide nice warning/error message.

If you are using Windows accounts for login and don't have many remote offices, UserAgent is very quick to setup and you can forget CP forever.

Yeah, I see that too. I kept a security policy on the top saying ALLOW every thing from any to any from 'unknown' user but with a URL Profile to Block ALL Categories. Now it seems that if I open chrome and access https://gmail, I cant access it, but NOR there is CP popping up. I was thinking since the traffic is HTTPS, captive portal is skipped and hence URL blocked might get imposed (even if its HTTPS, I believe it should still categorise it as 'Unknown' URL Category from the name found on the certificate name) with the blocked page notification. How ever session doesn't progress and I don't seem to get a URL Category blocked page either...so..!!!!

I am on mac environment majorly and hence userid stuffs isn't doing so great for me. Another purpose is to make sure 'bad'  external consultants do not misuse wired ethernet ports too.

  • 1 accepted solution
  • 8525 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!