Scheduled captive portal and byod..

Reply
Highlighted
L3 Networker

Scheduled captive portal and byod..

Hi,

We use a PA500 box on 5.0.3 in a boarding school environment.

I want CP only to be active during lessons and not in the afternoon / evenings..  However I cannot find how to apply a schedule to my CP.  How do I do that?

Also the students are complaining about having to relogin every time one of their devices are powered up from suspended mode.  Which CP settings do change to avoid this? 

Can a CP user use multiple devices simultaneously under the same user account?

Thanks a lot for comments on this

regards Tor


Accepted Solutions
Highlighted
L5 Sessionator

A policy can be scheduled using the option of Schedulers (Object>Schedules) .

At present, schedules can be only applied to Security policies and not Captive portal policies.

You may speak to your SE if you would like to request this feature.

Closest option for scheduling CP would be to apply schedules to the security rule that allows applications dns and web-browsing for unknown-users, this way CP auth page will not be presented, but this option could be a bit clumsy.

HTH,

Ameya

View solution in original post


All Replies
Highlighted
L5 Sessionator

Hi,

Captiv Portal policies can't be scheduled then they will be prompted everytime.

Yes, one acccount can be used on many devices.

Rgds

V.

Highlighted
L3 Networker

You mean prompted every time the schedule is switched on?

I meant to switch on the CP authentication at 7am and switch it off at 4pm.  Users should have to log on at the first time they needed internet after 7am and then relogin every 4 hours if the session timeout was set to 4hrs.  After 4pm they shouldn't be bugged with CP auth until next morning.

Sorry if I misunderstood you, but I tried to elaborate my scenario.

regards Tor

Highlighted
L5 Sessionator

A policy can be scheduled using the option of Schedulers (Object>Schedules) .

At present, schedules can be only applied to Security policies and not Captive portal policies.

You may speak to your SE if you would like to request this feature.

Closest option for scheduling CP would be to apply schedules to the security rule that allows applications dns and web-browsing for unknown-users, this way CP auth page will not be presented, but this option could be a bit clumsy.

HTH,

Ameya

View solution in original post

Highlighted
L3 Networker

Hi

Just before the 'offending' CP user policies I tried to insert a new security policy for 'any' user scheduled to be active after school hours.  I hoped that it would 'catch' everyone in the scheduled timeframe so they never jumped further to the CP policies further down.  However they are still prompted for username and password.  Is this because the Captive Portal policy for this subnet is active (and cannot be controlled by a schedule).  Please elaborate if I misunderstood how to do this.

Also there is abosolutely not way to 'log off' a PanOS captive portal session?  Occasionally we make public computers available and it would be nice if the current user was able to log out before letting another user continue browsing the internet.

regards

Tor

Highlighted
L5 Sessionator

Is this because the Captive Portal policy for this subnet is active (and cannot be controlled by a schedule).  Please elaborate if I misunderstood how to do this?

CP page would be prompted as long as the HTTP GET request/HTTPS transaction reaches firewall's CP zone.

Applying  schedules to the security rule that allows applications dns and web-browsing for unknown-users would ensure that DNS resolution and web-traffic only succeeds during the desired schedule, indirectly controlling the prompting of CP auth page.



Also there is abosolutely not way to 'log off' a PanOS captive portal session?  Occasionally we make public computers available and it would be nice if the current user was able to log out before letting another user continue browsing the internet.

Firewall sets a cookie so that future login requests become transparent to the user using session cookies in redirect mode, if the browser has not been closed,

Try disabling this option so that a new user has to login when the current user closes the browser window.

Currently there is no option to log off a CP user.


HTH,

Ameya






Highlighted
Not applicable

a simple ssh-script that automatically logs in and runs the command:

to disable:

configure

set rulebase captive-portal rules CWP action no-captive-portal

commit

or to enable:

configure

set rulebase captive-portal rules CWP action web-form

commit

'

Dirty, but running that on a schedule should do the trick.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!