Monitor hits against captive portal?

cancel
Showing results for 
Search instead for 
Did you mean: 

Monitor hits against captive portal?

L1 Bithead
When using user ID and captive portal, when an Auth attempt fails because of the captive portal, how can you get notified? We have spent hours troubleshooting broken apps because the captive portal was preventing access but we have no indication of the reason.
5 REPLIES 5

Cyber Elite
Cyber Elite

@btrotter it's a PITA

From CLI you can execute this command:

 

show user ip-user-mapping all type CP

 

and see all successful CP users.

 

From the GUI in the system logs you can use the follwing syntax:

 

( description contains 'Captive Portal authentication succeeded' ) 

 

 

OR

 

( description contains 'Captive Portal authentication failed' )

 

You can use these to help diagnose why some are working and some aren't.

@btrotter Also this may or may not be related to your issue.

 

Specifically my last post:

 

https://live.paloaltonetworks.com/t5/General-Topics/Dual-NIC-IP-Mapping-Issue/td-p/5936/page/2

 

regarding the whole Intranet settings and regristry settings that might need to be changed.

L4 Transporter

Hi btrotter,

 

If you're troubleshooting a communication issue and you're not sure if the traffic is hitting a captive portal policy or not, you can quickly check with a couple of ways.

 

The best way would be to use the test command:

 

> test cp-policy-match (criteria)

 

This will display an output of whether your traffic is going to match a configured policy.

 

If you are logging your traffic, you can click the spyglass on the left hand side of the log and check the flags section of the detailed log view, if the box is filled in and green then the traffic is hitting the portal. You can also add 'captive portal' to the list of columns viewable in the logs, just click the top of the empty column:

 

Screenshot_25.png

 

Another method would be to check the live session information, you can do this in the session browser on the GUI or on the CLI you'll see the captive portal flag set to true or false.

 

I think it would be a nice idea to see captive portal hits or traffic matching a captive portal rule in the ACC, if you want any new features implemented then you will have to contact your PAN SE.

 

I hope this helps. Thanks,

 

Ben

Sorry for the late reply. 
I am unsure if my question is answered as I do not have an active issue to test it against.

I should have given a better example of the problem we are having.

 

For an example, one of our server admins came to us a few months back and said his backup server stopped receiving updates. We spent a long time troubleshooting it when our network engineer decided to try to add the site the server was trying to access to the no-captive-portal list. Once he did this the server guy confirmed his backups were now able to download its updates from the internet. We were unable to see anything in the traffic logs for this server attempting to access the internet and did not have any indication that it was the captive portal that was blocking it. There did not seem to be somewhere that would create an alert or log when something was hitting the captive portal.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!