Captive Portal Not Working with HTTPS Sessions - Knowledge Base - Palo Alto Networks

Captive Portal Not Working with HTTPS Sessions

80658

Created On 09/25/18 19:49 PM - Last Modified 09/28/23 13:19 PM

Captive Portal

Next-Generation Firewall

Symptom

Captive portal (CP) users are to enter their usernames and password before any activity. However, when captive portal users go to some https websites, they're not seeing the captive portal page to enter their credentials. Consequently, the Palo Alto Networks firewall does not identify who the user is (because HTTPS sessions are bypassing the captive portal page).

Diagnosis

Use a no decrypt policy for the known users. They will be known after entering their credentials.
Use a decrypt policy for unknown users to make sure they get the captive portal page when they open an HTTPS session/website. Until and unless these users enter their credentials, they will be unknown users, so captive portal will trigger because of SSL decryption.
Decryption policy for unknown users will make sure users always get a captive portal page independent of the website they try to go to.

Note: effective from PANOS 10.1.9 there is a change in behavior:
Before PANOS 10.1.9, by default firewall allows any non decrypted SSL traffic from unknown users matching an authentication policy for Captive Portal.
Effective from PANOS 10.1.9, by default firewall will drop any non decrypted SSL traffic from unknown users matching an authentication policy for Captive Portal.
The previous behavior can be restored by issuing the following command:

> debug device-server cp-allow-encrypted-disable off
> configure
# commit force

Environment

Palo Alto Firewalls
Supported PAN-OS

Cause

With https websites we have to configure ssl-forward proxy decryption for the firewall to present the Authentication Portal page to the user.

Resolution

We need an ssl-forward proxy decryption policy to inject a captive portal page whenever user visits any https website.

Click here to configure SSL decryption

Click here to configure Captive Portal

Please refer to the screen shot and description below:

Decryption policy 1 bypasses decryption for known users.
Decryption policy 2 will decrypt all the traffic coming from unknown users.

Behavior:

Unknown user from the trust zone tries visiting https://www.google.com.
Decryption policy 2 triggers and provides a CP page.
Unknown user again tries visiting any other https site, the CP page is again prompted because of Decryption policy
User enters credentials and is part of a group, captive-portal-grp (using AD for authenticating CP users).
Now the firewall is aware of the user and Decryption policy 1 will triggers and will not decrypt any further traffic from the known user - the user will not get a certificate warning page.
Security policy is also needed in place, based on group and zone individually. Create a group-specific policy on the top and a zone-specific policy below it.

Explanation of the warning message

Unknown users will be coming in from the trust zone, and there is no way for them to install the self-signed certificate, so they will get a warning message in case the decryption is in place.

If you are using a third-party certificate for CP, after user authentication, the no decrypt rule will apply, and there will be no prompting for certificate warnings.

Thank you.

Tarang Srivastav

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)