This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Many users receiving Captive Portal

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Many users receiving Captive Portal

FabioGarcia
L3 Networker

‎05-29-2015 11:52 AM

Dears,

We have been facing a lot of users identified by Captive Portal and not via UIA.

Does anyone could suggest any troubleshooting/best practices to avoid this kind of behavior ?

ScreenShot031.jpg

Thanks in advance!!

0 Likes Likes
5 REPLIES 5

mivaldi
L7 Applicator

‎05-29-2015 04:27 PM

Your UIA mappings are most likely timing out at the default of 45 minutes, and you're most likely relying on WMI Probes, which are failing, because your hosts are not correctly configured to respond to the WMI Probes.

Once the Probes fail, the user-ip mappings are deleted.

Once they are deleted, Captive Portal will trigger.

If the Captive Portal is set to its default Expiration of 60 minutes, then users will have to validate to CP every hour.

By default, User-ID Cache timeout is set to 45 minutes.

If users would be on site for a maximum of 12 hours, you can set the timeout to 720 minutes, and disable Probing.

Note I'm making a lot of assumptions based on similar cases I've worked. Your settings may differ, in that case, I recommend you open a Support ticket and we can take a closer look.

I also recommend checking out these documents:

Best Practices for Securing User-ID Deployments

User-ID Best Practices - PAN-OS 5.0, 6.0

cpainchaud
L4 Transporter

‎05-30-2015 05:29 AM

Hi essilorbr,

I also suggest that you look at GlobalProtect to transparently identify your users, please remember this is not only a VPN client but also an Authentication client when used in Internal mode.

Your colleagues from Essilor EMEA may help you setting up this configuration.

FabioGarcia
L3 Networker
In response to mivaldi

‎06-03-2015 12:10 PM

Hello, thx for you help... you meant change this parameter below at Agent ?

- disable WMI

- change user identification timeout from 30 to 720 ?

ScreenShot033.jpg

0 Likes Likes

mivaldi
L7 Applicator
In response to FabioGarcia

‎06-05-2015 11:57 AM

Yes, that is correct.

Enable WMI Probing: No

User Identification Timeout (min.): 720

0 Likes Likes

FabioGarcia
L3 Networker
In response to mivaldi

‎06-09-2015 07:47 AM

Very nice!!

will try these options...

0 Likes Likes
  • 3685 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks