Captive Portal Not Working with HTTPS Sessions

Captive Portal Not Working with HTTPS Sessions

68937
Created On 09/25/18 19:49 PM - Last Modified 09/28/23 13:19 PM


Symptom


Captive portal (CP) users are to enter their usernames and password before any activity. However, when captive portal users go to some https websites, they're not seeing the captive portal page to enter their credentials. Consequently, the Palo Alto Networks firewall does not identify who the user is (because HTTPS sessions are bypassing the captive portal page).
 

Diagnosis

  • Use a no decrypt policy for the known users. They will be known after entering their credentials.
  • Use a decrypt policy for unknown users to make sure they get the captive portal page when they open an HTTPS session/website. Until and unless these users enter their credentials, they will be unknown users, so captive portal will trigger because of SSL decryption.
  • Decryption policy for unknown users will make sure users always get a captive portal page independent of the website they try to go to.

Note: effective from PANOS 10.1.9 there is a change in behavior:
Before PANOS 10.1.9, by default firewall allows any non decrypted SSL traffic from unknown users matching an authentication policy for Captive Portal.
Effective from PANOS 10.1.9, by default firewall will drop any non decrypted SSL traffic from unknown users matching an authentication policy for Captive Portal.
The previous behavior can be restored by issuing the following command:
> debug device-server cp-allow-encrypted-disable off
> configure
# commit force

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS

Cause


With https websites we have to configure ssl-forward proxy decryption for the firewall to present the Authentication Portal page to the user.

Resolution


We need an ssl-forward proxy decryption policy to inject a captive portal page whenever user visits any https website.

Click here to configure SSL decryption

Click here to configure Captive Portal

Please refer to the screen shot and description below:

1.PNG

  • Decryption policy 1 bypasses decryption for known users.
  • Decryption policy 2 will decrypt all the traffic coming from unknown users.


Behavior:

  1. Unknown user from the trust zone tries visiting https://www.google.com.
  2. Decryption policy 2 triggers and provides a CP page.
  3. Unknown user again tries visiting any other https site, the CP page is again prompted  because of Decryption policy 
  4. User enters credentials and is part of a group, captive-portal-grp (using AD for authenticating CP users).
  5. Now the firewall is aware of the user and Decryption policy 1 will triggers and will not decrypt any further traffic from the known user -  the user will not get a certificate warning page.
  6. Security policy is also needed in place, based on group and zone individually. Create a group-specific policy on the top and a zone-specific policy below it.

 

Explanation of the warning message

Unknown users will be coming in from the trust zone, and there is no way for them to install the self-signed certificate, so they will get a warning message in case the decryption is in place.

If you are using a third-party certificate for CP, after user authentication, the no decrypt rule will apply, and there will be no prompting for certificate warnings.

Thank you.

Tarang Srivastav
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClevCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language