Guest Access via Captive Portal - problem with page not always appearing

cenders · ‎01-29-2015

I have set up a guest wifi network with an access point on an ethernet port of the PAN firewall. The guest wifi network is unsecured. I am using a web-form to ensure the guests see our logo, terms, and type in the correct password to proceed.

The setup works most of the time. On occasion when using this setup via an Apple iOS device (iPhone, iPad) I don't get the portal page and instead receive an error on the idevice, "Hotspot login cannot open the page because the network connection was lost". I can then only press cancel and it disconnects me from that wifi network. If I hit cancel and try again, the same problem appears. When hitting cancel on this the second time, I get presented with "use without internet or use other network". Now if I click use without internet, and then open Safari and a website I do indeed get the captive portal.

I do not have this problem on any non iOS device (windows laptop, etc).

So, why sometimes does this happen to me? It is not always repeatable on an iOS device. I believe this is because the apple device is trying to initially open an HTTPS page. Does that require me to enable SSL decryption?

BobW · ‎02-01-2015

"Bob, good band-aids"

Agreed. As I say it seems to work 100% with Firefox and Chrome. I truly believe it is an apple issue given it works different depending on the revision.

Please keep us updated if you find a solid fix!

Bob

Tijl · ‎02-02-2015

Hi Cenders,

You will also need a security rule. You'll need to allow this regardless of the browser or OS used.

The iOS behaviour with a captive portal depends on the iOS version. What version are you currently having issues with?

Tijl

cenders · ‎02-04-2015

Tijl, I think the problem started with iOS 7 and anything above. Current iPad I'm testing with is running 8.1.3. I do have security rules related to the captive portal, such as allowing DNS without requiring identity and regular http and https traffic for "known users" (which forces the CP). I have a captive portal rule with "web-form" as the action for http and https. I think the setup is fine as I don't seem to have a problem with windows based computers going through the CP.

cenders · ‎02-04-2015

Hardik, I don't want to whitelist the Apple URLs because I want the Apple device to correctly open the CP upon trying to join the Wifi network. I have seen other CP solutions work just fine with Apple devices, I'm lost trying to figure out why it isn't working 100% with Palo Alto.

cenders · ‎02-04-2015

Tijl, along the lines of your thinking with regards to HTTPS, I have read elsewhere that Apple's "Captive Network Assistant" has issues where the portal is HTTPS. Apple's initial HTTP GET request (for the success.html) then being redirected to an HTTPS captive portal is the problem here. But who in their right mind would have a captive portal that isn't HTTPS? I guess if I use wifi isolation (preventing wifi clients from talking to each other) could a sniffer still see plain text credentials of the portal? It would be easy to then sniff the portal password from other clients.

Guest Access via Captive Portal - problem with page not always appearing

Guest Access via Captive Portal - problem with page not always appearing

Show your appreciation!