This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID Agent identifies local PC users so captive portal never kicks in?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Agent identifies local PC users so captive portal never kicks in?

networkadmin
L4 Transporter

‎01-29-2014 08:47 AM

I upgraded our PAN from 4.1.x to 5.0.10 and also upgraded the User-ID agent from 3.x to the latest 5.x.

We have some rules configured with groups specified and we have captive portal in place and what used to happen was if you came along on a domain joined laptop but were logged on as a local account (so LAPTOPNAME\LocalAccount) you'd get the portal and would have to authenticate using a domain account (standard Kerberos auth against the DCs).

What's happening now is that the request is blocked because it's hitting the last whitelist rule which blocks all URL Categories other than the allow whitelist.

The block page is showing the user as LAPTOPNAME\LocalAccount so the firewall must be picking up the local logon name from the User-ID agent - looking at the mapping list on the User-ID agent on the DCs confirms this.

So I'm assuming we don't get the captive portal because the user is always known so the portal never needs to kick in?

How can I make it so that the firewall won't see any usernames other than DOMAIN\Username from the User-ID agent please, so that in the situation above the portal would kick in like it used to?

I've looked everywhere I can think of and I'm drawing a blank.

0 Likes Likes
4 REPLIES 4

HULK
L7 Applicator

‎01-29-2014 10:37 AM

Related discussions:

password

Re: Captive Portal to Internal Servers

Thanks

0 Likes Likes

networkadmin
L4 Transporter
In response to HULK

‎01-29-2014 10:56 AM

Thanks, but I don't see anything in those that leaps out as being applicable here?

We're not even seeing the portal - the PAN seems to assume the username is "LOCALPC\localaccount" so simply blocks access because it doesn't match any rule.

0 Likes Likes

networkadmin
L4 Transporter
In response to sraghunandan

‎01-30-2014 03:08 AM

It looks similar to the second issue.  We have a standard AD though at 2003 Functional Level - nothing unusual or custom so this seems bizarre behaviour.

0 Likes Likes
  • 2091 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks