Palo Alto Networks Knowledgebase: How to Troubleshoot Captive Portal

How to Troubleshoot Captive Portal

9411
Created On 07/17/19 21:11 PM - Last Updated 07/17/19 22:30 PM
User-ID
Resolution

This document describes checks and commands to troubleshoot Captive Portal on a Palo Alto Networks firewall.

 

Details

  • Make sure that captive portal is enabled.
  • Make sure user identification is enabled on the ingress zone.
  • Make sure there is a captive portal policy.
  • Keep in mind that a security policy needs to be matched first before the session is redirected to captive portal, thus if a deny policy is matched the packets will be dropped and the session will not be redirected to the captive portal.

Note: In order for captive portal to work, the following is needed in the security policy:

  • Web-browsing and DNS must be allowed for the captive portal page is brought up on http port 80
  • DNS query is needed for URL look up. This action spawns the captive portal redirect.
  • Captive portal uses SSL to connection on ports 6080,6081,6082,6083 not 443.

Use the following command to reset any captive portal session (the client will have to authenticate again).
The IP address in the following commands is the IP address of the client:

> debug user-id reset captive-portal ip-address 1.1.1.1

 

Use the following commands to check the captive portal log:

> less mp-log appweb3-l3svc.log

 

For more details, enable l3svc debug level:

debug l3svc on debug

 

Captive portal session counter can be viewed through global counter:

> show counter global | match session_svc

 

The following is a capture of a captive portal session. Captive portal redirects the session to an internal/local captive portal port (6080) and captive portal zone (N/A):

1435247/1 10.16.2.112[1078]/l2-lan-trust/6        72.240.47.70[80]/l2-lan-untrust web-browsing    DISCARD FLOW   
1449020/1 10.16.2.112[1103]/l2-lan-trust/6        72.240.47.70[6080]/N/A          ssl            ACTIVE  FLOW  ND
1449021/1 10.16.2.112[1102]/l2-lan-trust/6        72.240.47.70[80]/N/A            web-browsing    ACTIVE  FLOW  ND
1432627/1 10.16.2.112[1060]/l2-lan-trust/6        72.240.47.70[21]/l2-lan-untrust ftp            DISCARD FLOW   
1436228/1 10.16.2.112[1081]/l2-lan-trust/6        207.68.173.76[80]/l2-lan-untrus web-browsing    DISCARD FLOW

 

For more information about the session via the CLI, type:

 

> show session id 1449020
session 1449020

c2s flow:

source: 10.16.2.112[l2-lan-trust]
dst: 72.240.47.70
sport: 1103 dport: 6080
proto: 6 dir: c2s
state: ACTIVE type: FLOW
ipver: 4
src-user: 0
dst-user: 0

 

s2c flow:

source: 127.3.1.1[N/A]
dst: 10.16.2.112
sport: 443 dport: 1103
proto: 6 dir: s2c
state: ACTIVE type: FLOW
ipver: 4
src-user: 0
dst-user: 0

start time : Thu Jul 24 17:10:04 2008
timeout : 1800 sec
time to live : 1749 sec
total byte count : 3872
layer7 packet count : 12
vsys : vsys1
application : ssl
rule : captive-portal
session to be logged at end : no
session in session ager : yes
session sync'ed from HA peer : no
address/port translation : destination
layer7 processing : enabled
URL filtering enabled : no
session terminated on host : yes
captive portal session : yes

 

See also:

How to Configure Captive Portal

 

owner: jnguyen



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljXCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language