This document describes checks and commands to troubleshoot Captive Portal on a Palo Alto Networks firewall.
Make sure that captive portal is enabled.
Make sure user identification is enabled on the ingress zone.
Make sure there is a captive portal policy.
Keep in mind that a security policy needs to be matched first before the session is redirected to captive portal, thus if a deny policy is matched the packets will be dropped and the session will not be redirected to the captive portal.
Note: In order for captive portal to work, the following is needed in the security policy:
Web-browsing and DNS must be allowed for the captive portal page is brought up on http port 80
DNS query is needed for URL look up. This action spawns the captive portal redirect.
Captive portal uses SSL to connection on ports 6080,6081,6082,6083 not 443.
Use the following command to reset any captive portal session (the client will have to authenticate again). The IP address in the following commands is the IP address of the client: