Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Does Captive Portal work on Virtual Wires?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does Captive Portal work on Virtual Wires?

Not applicable

Hi,

I configured Captive Portal on PA-500 ver. 3.1.3 with following directions in a PDF document "How to Configure Captive Portal", but Captive Portal Login Screen has never come up. I wonder if Captive Portal works with Virtual Wires environment?

Thanks in advance.

1 accepted solution

Accepted Solutions

If you use Redirect on a vwire you will need to create a L3 interface to act as the "Redirect" interface. It needs to be routable to the client PCs. If your DNS server is on the other side of the CP then you will need to allow all DNS traffic through the vwire to make this work. We have a revised CP document for version 3.1 posted on this portal.

Steve Krall

View solution in original post

3 REPLIES 3

L4 Transporter

The operation of captive portal changed slightly in PAN-OS 3.1. The setup in the document is related to PAN-OS 3.0. There are two modes for captive portal configuration now: transparent or redirect. PAN-OS 3.1 introduced the redirect mode so that browser certificate errors could be avoided. With transparent mode, the firewall will transparently intercept the browser traffic per the captive portal rule and pretend like it is the original destination URL. This causes cert errors because we are not the destination URL in reality and do not have the appropriate cert for the site. Redirect mode tells the browser to go to a configured address that would be a configured L3 interface on the device (not necessarily one that is used for processing traffic). You can use either mode with virtual wire. Redirect is preferred as it is a better end-user experience (no cert errors). However, it does require additional L3 configuration.

The other addition in PAN-OS 3.1 is the Authentication Profile. Instead of configuring the RADIUS info directly, you reference an authentication profile.

The other occasionally overlooked piece is that you need to remember to Commit the configuration for it to become active. If none of this seems to help, post some more details of your setup. The CLI output of "show running captive-portal-policy" and "show captive-portal" from configure mode would be a good starting point.

Mike

Mike,

If I use redirect mode and Radius authentication only, I don't use NTLM

Can Captive portal work? In case of certificate errors

If you use Redirect on a vwire you will need to create a L3 interface to act as the "Redirect" interface. It needs to be routable to the client PCs. If your DNS server is on the other side of the CP then you will need to allow all DNS traffic through the vwire to make this work. We have a revised CP document for version 3.1 posted on this portal.

Steve Krall

  • 1 accepted solution
  • 4066 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!