About maxxian

So migrating the users to a different database in the future would be difficult, right? Unless there is some export function in the future? ... View more

So based on the above question and XML extract, is the local database on the PA-500 just an XML file? ... View more

Thanks~ I will open a case with our support. ... View more

The PA-500 has been upgraded to PAN-OS 3.1.6 . I don't see the captive_portal.log anymore under #tail mp-log I get the following errors in authd.log (does that cover both captive portal and admin?): admin@PA-500> tail mp-log authd.log Jan 11 16:06:32 User 'pek' failed authentication. Reason: Invalid username/password From: 10.1.0.2. Jan 11 16:06:32 pan_authd_send_auth_resp(pan_authd.c:1775): pan_authd_send_auth_resp Jan 11 16:06:32 pan_authd_send_auth_resp(pan_authd.c:1793): Sent the response to client Jan 11 16:07:41 pan_authd_loop(pan_authd.c:2101): Got a msg to authd Jan 11 16:07:41 pan_authd_loop(pan_authd.c:2111): recv'ed 1068 bytes from 127.0.0.1 Jan 11 16:07:41 pan_authd_service_req(pan_authd.c:1936): pan_authd_service_req() Jan 11 16:07:41 pan_authd_service_req(pan_authd.c:1954): Authd:get group request Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1905): Got user role/adomain / for user admin Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1918): Sending group response msg type 3, conv id 1, to  127.0.0.1 : 38525 Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1923): Sent the auth group response to client The above log does not look like captive portal problems.  On the GUI, under Monitor > System, I see two related error messages: 01/11 16:06:34 general informational general Captive portal authentication failed for user: pek on 10.1.0.2, vsys1  01/11 16:06:32 general informational auth-fail User 'pek' failed authentication. Reason: Invalid username/password From: 10.1.0.2. I've simplified my network configuration to be a star network (essentially flat where the the Palo Alto is in the middle doing routing between devices) and all active interfaces are in one zone. I'm still stuck trying to figure out why the radius server is not receiving authentication requests from the palo alto. ... View more

Hi Renato, I just got back into the office today.  I've been working in the lab where I had a few machines hooked up to the PA-500, in an isolated environment without internet access. I started the upgrade process on Friday to update the PAN-OS since we're still running 3.0 .  I don't know if it would solve anything, but I'd like to do that before continuing troubleshooting. What do you need from me for a gotomeeting? Cheers, Pek ... View more

Hi Renato, I've been seeing captive portal authentication failures in the System Log in the Monitor tab.  It doesn't really document what kind of failure it is, but I suspect it is a timeout or radius server failure because my radius server running in debug mode is not logging any authentication requests. I am not using a PAN-Agent, assuming that's the agent that gets downloaded to the captive "host".  I would like to try to have captive portal working without the user agent as acquiring a lot of agents (other VPNs, etc.) on a host can cause conflicts. I was also wondering about the IP address of the radius client to configure in freeradius.  I am not using the radius server to authentication management access, so the management IP would not apply.  I've place the management interface within the "inside" zone. The freeradius server is in the "dmz" zone (a Layer 3 port) which is accessible both to the "inside" and "outside" zone. Would the ip of the radius client (PA-500) be the firewall port IP?  Like the Layer 3 port, ie. 192.168.1.1? The shared key (secret) was confirmed, manually typed into the Secret Field. The authd.log is not applicable in my case right?  I assumed that is only for the management port.  I would use "tail mp-log captive_portal.log" btw, having two radius server configurations in two different places for two different types of authentications (management and user) is really confusing (I got really confused at first). The output log looks like this at one point : admin@PA-500> tail follow yes mp-log captive_portal.log Jan 06 16:18:18 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify  <sw.mgmt.runtime.clients.captive_portal.register> failed:  NO_MATCHES Jan 06 16:18:18 cfgagent register failed in try 1/5. sleeping for 5 seconds... Jan 06 16:18:23 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify  <sw.mgmt.runtime.clients.captive_portal.register> failed:  NO_MATCHES Jan 06 16:18:23 cfgagent register failed in try 2/5. sleeping for 5 seconds... Jan 06 16:18:28 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify  <sw.mgmt.runtime.clients.captive_portal.register> failed:  NO_MATCHES Jan 06 16:18:28 cfgagent register failed in try 3/5. sleeping for 5 seconds... Jan 06 16:18:33 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify  <sw.mgmt.runtime.clients.captive_portal.register> failed:  NO_MATCHES Jan 06 16:18:33 cfgagent register failed in try 4/5. sleeping for 5 seconds... Jan 06 16:18:38 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify  <sw.mgmt.runtime.clients.captive_portal.register> failed:  NO_MATCHES Jan 06 16:18:38 Error: pan_cfgagent_enable(pan_cfgagent.c:734): failed to register config agent with management server ... View more