Captive Portal Not Working with HTTPS Sessions

Captive Portal Not Working with HTTPS Sessions

38734
Created On 09/25/18 19:49 PM - Last Modified 04/21/20 00:46 AM


Symptom

Symptoms

Captive portal (CP) users are to enter their usernames and password before any activity. However, when captive portal users go to some https websites, they're not seeing the captive portal page to enter their credentials. Consequently, the Palo Alto Networks firewall does not identify who the user is (because HTTPS sessions are bypassing the captive portal page).

Diagnosis

  • Use a no decrypt policy for the known users. They will be known after entering their credentials.
  • Use a decrypt policy for unknown wireless users to make sure they get the captive portal page when they open an HTTPS session/website. Until and unless these users enter their credentials, they will be unknown users, so captive portal will trigger because of SSL decryption.
  • Decryption policy for unknown users will make sure users always get a captive portal page independent of the website they try to go to. 


Resolution

Prerequisite

 

  • Knowledge of SSL decryption
  • Knowledge of captive portal (CP)

Non-working scenario

  1. Unknown user from the wireless zone tries visiting https://www.google.com.
  2. Since it's an SSL session, the captive portal page may not trigger.
  3. The firewall is unable to identify the user, who does not receive a captive portal page.

 

Working scenario

Need an SSL decryption in place to inject a captive portal page whenever user visits any URL (https).

Click here to configure SSL decryption

Click here to configure captive portal

 

Please refer to the screen shot and description below:

 

 1.PNG

 

Working scenario

  • Decryption policy 1 says no decrypt to wireless known users.
  • Decryption policy 2 says decrypt all the traffic coming from the wireless zone.

 

  1. Unknown user from the wireless zone tries visiting https://www.google.com.
  2. Decryption policy 2 triggers and provides a CP page.
  3. Unknown user again tries visiting any other https site, the CP page is again prompted  because of Decryption policy 
  4. User enters credentials and is part of a group, captive-portal-grp (using AD for authenticating CP users).
  5. Now the firewall is aware of the user and Decryption policy 1 will triggers and will not decrypt any further traffic from the known user -  the user will not get a certificate warning page.
  6. Security policy is also needed in place, based on group and zone individually. Create a group-specific policy on the top and a zone-specific policy below it.

 

Explanation of the warning message

Unknown users will be coming in from the wireless zone, and there is no way for them to install the self-signed certificate, so they'll get a warning message in case the decryption is in place.

 

If you are using a third-party certificate for CP, after user authentication, the no decryp rule will apply, and there will be no prompting for certificate warnings.

 

Thank you.

 

Tarang Srivastav



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClevCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language