Problem with Captive portal :

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with Captive portal :

L0 Member

Dears,

I'm using PA-500 with 5.0.11 OS.

I would like to get help for the captive portal, HTTPS traffic isn't being interrupted while HTTP is working fine and redirecting traffic for authorization.

Please help me.

Regards,

Umair.

13 REPLIES 13

L4 Transporter

Yes, this is (unfortunetelly) expected behavior of PAN.

I have the same in my CP. I know that other vendors are able to redirect https session to Captive Portal.

Regards

SLawek

L5 Sessionator

Hi all,

PaloALto is able to do that only if in your CP policy you have configure service-http AND service-https.

Hope help.

V.

Hi Vince

My CP policy of course using service-http AND service-https.

When I try to connect to any site with https://www.mozilla.com my webbrowser (Firefox) display "Connection was reset"

Regards

Slawek

L0 Member

Thanks for the responses.

I have configured both HTTP and HTTPS both in service policy.

but unfortunately not getting right result and because of that some users are able to browse via https Smiley Sad

Regards,

Umair.

In my opinion something wrong is in Your security policy configuration if users are able to browse by https.

My looks like:

2014-03-04_134308.png

2014-03-04_134321.png

Vince - why in my config users aren't redirected to CP portal?

Regards

SLawek

L5 Sessionator

Hello Everyone,

For captive portal to work with https you need to setup decryption policy.

Regards,

Hari Yadavalli

Please take a look MikroTik RouterOS • View topic - Hotspots and SSL redirection to login

"There is the new HTTP status codes which include 511 "Authentication Required", and although the RFC itself mentions that currently, browsers will show a certificate error on an SSL page, I think browser vendors should be asked to not do that."

Maybe this is a way to go with CP and PAN?

Regards

Slawek

L4 Transporter

Umair,

We have a PA-5020 running 5.1.10 and do Captive portal internally and externally. In both cases we redirect http and https.  Please check the following setting:

imageFile.png

Please check the management profile and make sure you have selected https response pages.

The Captive portal settings should look something like this:

Capture-GP-Settings.PNG.png

Phil

L4 Transporter

Hi Hitsec

thats very intersting what You wrote.

Could You share with us your settings of managemanet profile?

My looks like:

2014-03-06_085007.png

and it doesn'r redirect when You try to open https://www.mozilla.com with FF browser.

Regards

Slawek

Hi Phil

I forgot to ask You about decryption policy - do You use SSL decryption?

Regards

Slawek

Slawek,

I realized that is only http traffic that I am seeing redirected to Captive portal.  Sorry for misleading you and the discussion thread.  That has prompted me to look further into it.

Phil

L6 Presenter

Agree with hyadavalli

You have to use SSL decryption.Without that page will not be loaded.(For unknown users allow only dns.)

Retired Member
Not applicable

Just to add to discussion, CP works by sending a 302 redirect when HTTP GET is received. HTTPS encrypts the GET message. Hence no redirect is triggered. This is why you need SSL decryption if you want to CP HTTPS traffic.

-Richard

  • 5356 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!