10-28-2013 09:53 AM
Hi,
We use a PA500 box on 5.0.3 in a boarding school environment.
I want CP only to be active during lessons and not in the afternoon / evenings.. However I cannot find how to apply a schedule to my CP. How do I do that?
Also the students are complaining about having to relogin every time one of their devices are powered up from suspended mode. Which CP settings do change to avoid this?
Can a CP user use multiple devices simultaneously under the same user account?
Thanks a lot for comments on this
regards Tor
10-28-2013 11:45 AM
A policy can be scheduled using the option of Schedulers (Object>Schedules) .
At present, schedules can be only applied to Security policies and not Captive portal policies.
You may speak to your SE if you would like to request this feature.
Closest option for scheduling CP would be to apply schedules to the security rule that allows applications dns and web-browsing for unknown-users, this way CP auth page will not be presented, but this option could be a bit clumsy.
HTH,
Ameya
10-28-2013 10:21 AM
Hi,
Captiv Portal policies can't be scheduled then they will be prompted everytime.
Yes, one acccount can be used on many devices.
Rgds
V.
10-28-2013 10:28 AM
You mean prompted every time the schedule is switched on?
I meant to switch on the CP authentication at 7am and switch it off at 4pm. Users should have to log on at the first time they needed internet after 7am and then relogin every 4 hours if the session timeout was set to 4hrs. After 4pm they shouldn't be bugged with CP auth until next morning.
Sorry if I misunderstood you, but I tried to elaborate my scenario.
regards Tor
10-28-2013 11:45 AM
A policy can be scheduled using the option of Schedulers (Object>Schedules) .
At present, schedules can be only applied to Security policies and not Captive portal policies.
You may speak to your SE if you would like to request this feature.
Closest option for scheduling CP would be to apply schedules to the security rule that allows applications dns and web-browsing for unknown-users, this way CP auth page will not be presented, but this option could be a bit clumsy.
HTH,
Ameya
11-08-2013 05:41 AM
Hi
Just before the 'offending' CP user policies I tried to insert a new security policy for 'any' user scheduled to be active after school hours. I hoped that it would 'catch' everyone in the scheduled timeframe so they never jumped further to the CP policies further down. However they are still prompted for username and password. Is this because the Captive Portal policy for this subnet is active (and cannot be controlled by a schedule). Please elaborate if I misunderstood how to do this.
Also there is abosolutely not way to 'log off' a PanOS captive portal session? Occasionally we make public computers available and it would be nice if the current user was able to log out before letting another user continue browsing the internet.
regards
Tor
11-08-2013 01:16 PM
Is this because the Captive Portal policy for this subnet is active (and cannot be controlled by a schedule). Please elaborate if I misunderstood how to do this?
CP page would be prompted as long as the HTTP GET request/HTTPS transaction reaches firewall's CP zone.
Applying schedules to the security rule that allows applications dns and web-browsing for unknown-users would ensure that DNS resolution and web-traffic only succeeds during the desired schedule, indirectly controlling the prompting of CP auth page.
Also there is abosolutely not way to 'log off' a PanOS captive portal session? Occasionally we make public computers available and it would be nice if the current user was able to log out before letting another user continue browsing the internet.
Firewall sets a cookie so that future login requests become transparent to the user using session cookies in redirect mode, if the browser has not been closed,
Try disabling this option so that a new user has to login when the current user closes the browser window.
Currently there is no option to log off a CP user.
HTH,
Ameya
11-20-2013 05:51 AM
a simple ssh-script that automatically logs in and runs the command:
to disable:
configure
set rulebase captive-portal rules CWP action no-captive-portal
commit
or to enable:
configure
set rulebase captive-portal rules CWP action web-form
commit
'
Dirty, but running that on a schedule should do the trick.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
