The operation of captive portal changed slightly in PAN-OS 3.1. The setup in the document is related to PAN-OS 3.0. There are two modes for captive portal configuration now: transparent or redirect. PAN-OS 3.1 introduced the redirect mode so that browser certificate errors could be avoided. With transparent mode, the firewall will transparently intercept the browser traffic per the captive portal rule and pretend like it is the original destination URL. This causes cert errors because we are not the destination URL in reality and do not have the appropriate cert for the site. Redirect mode tells the browser to go to a configured address that would be a configured L3 interface on the device (not necessarily one that is used for processing traffic). You can use either mode with virtual wire. Redirect is preferred as it is a better end-user experience (no cert errors). However, it does require additional L3 configuration. The other addition in PAN-OS 3.1 is the Authentication Profile. Instead of configuring the RADIUS info directly, you reference an authentication profile. The other occasionally overlooked piece is that you need to remember to Commit the configuration for it to become active. If none of this seems to help, post some more details of your setup. The CLI output of "show running captive-portal-policy" and "show captive-portal" from configure mode would be a good starting point. Mike
... View more