Palo Alto Networks Knowledgebase: Captive Portal with Session Cookie and One Minute Idle Timer Does Not Present a Web Form Page

Captive Portal with Session Cookie and One Minute Idle Timer Does Not Present a Web Form Page

4404
Created On 08/05/19 19:58 PM - Last Updated 08/05/19 20:11 PM
Resolution

Issue

Palo Alto Networks firewall is configured for Captive Portal with Session Cookie and a one-minute Idle Timer. A new user (user1) opens a web browser accessing an http or https site, and the user is presented with a web form page for user identification. User1 closes the web browser within one minute. Another user (User2) opens the web browser from the same host, but the web form page for user identification is not presented by the firewall.

Details

User has configured Captive Portal with Session Cookie enabled and the Idle Timer set to 1, as shown below:

img1.PNG

User1 goes to an http site and the web form page is presented as expected:

cp-edit.png

The corresponding ip-user-mapping is created on the firewall:

> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.96.227  vsys1  CP      user1                            58             58

A session cookie is also set, which can be viewed by tailing the appweb3-l3svc.log using the following CLI command:

> tail follow yes mp-log appweb3-l3svc.log

debug: pan_auth_handle_response(pan_auth_msg.c:494): Authentication user user1 succeeded.

debug: panUserIdAgentAuthenticateUId(panPhpUserIdAgent.c:246): Set cookie 7d5f15ab1771d49a61e8b618f1a0c21d for user user1 remote ::ffff:192.168.96.227 192.168.96.227

The User1 closes the web browser before the idle timer expires. Another user (User2) from the same host 192.168.96.227 opens the web browser and is able to web browse without being prompted for user authentication.

Resolution

This is an expected behavior. When User1 closes the web browser, only the session cookie set for User1 is removed. Since the idle timer is still running and User2 opens the web browser from the same host, User2 will still be able to web browse without being prompted for user authentication. It is only when the idle timer expires and when the web browser is closed, User2 will be presented with the web form authentication page.

See Also

How to Configure Captive Portal

owner: gchandrasekaran



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cls6CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language