07-09-2010 12:19 AM
Hi,
I configured Captive Portal on PA-500 ver. 3.1.3 with following directions in a PDF document "How to Configure Captive Portal", but Captive Portal Login Screen has never come up. I wonder if Captive Portal works with Virtual Wires environment?
Thanks in advance.
12-20-2010 09:38 PM
If you use Redirect on a vwire you will need to create a L3 interface to act as the "Redirect" interface. It needs to be routable to the client PCs. If your DNS server is on the other side of the CP then you will need to allow all DNS traffic through the vwire to make this work. We have a revised CP document for version 3.1 posted on this portal.
Steve Krall
07-09-2010 09:08 AM
The operation of captive portal changed slightly in PAN-OS 3.1. The setup in the document is related to PAN-OS 3.0. There are two modes for captive portal configuration now: transparent or redirect. PAN-OS 3.1 introduced the redirect mode so that browser certificate errors could be avoided. With transparent mode, the firewall will transparently intercept the browser traffic per the captive portal rule and pretend like it is the original destination URL. This causes cert errors because we are not the destination URL in reality and do not have the appropriate cert for the site. Redirect mode tells the browser to go to a configured address that would be a configured L3 interface on the device (not necessarily one that is used for processing traffic). You can use either mode with virtual wire. Redirect is preferred as it is a better end-user experience (no cert errors). However, it does require additional L3 configuration.
The other addition in PAN-OS 3.1 is the Authentication Profile. Instead of configuring the RADIUS info directly, you reference an authentication profile.
The other occasionally overlooked piece is that you need to remember to Commit the configuration for it to become active. If none of this seems to help, post some more details of your setup. The CLI output of "show running captive-portal-policy" and "show captive-portal" from configure mode would be a good starting point.
Mike
12-17-2010 12:35 AM
Mike,
If I use redirect mode and Radius authentication only, I don't use NTLM
Can Captive portal work? In case of certificate errors
12-20-2010 09:38 PM
If you use Redirect on a vwire you will need to create a L3 interface to act as the "Redirect" interface. It needs to be routable to the client PCs. If your DNS server is on the other side of the CP then you will need to allow all DNS traffic through the vwire to make this work. We have a revised CP document for version 3.1 posted on this portal.
Steve Krall
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
