How to View Captive Portal User Information and Change Timeout Values

Details

The following command displays the PAN-OS table of user-to-IP mappings and indicates the Captive Portal method used (CP or Captive Portal with NTLM):

> show user ip-user-mapping all

IP               Vsys   From    User                  IdleTimeout(s) MaxTimeout(s)

---------------  ------ ------- --------------------- -------------- -------------

192.168.106.12   vsys1  CP      administrator         845            3497

192.168.106.11   vsys1  CP      knarra                898            3587

Total: 2 users

The default Idle Timeout for Captive Portal is 900 seconds (15 minutes), with a Max Timeout of 3600 (60mins). If there is no activity for the set idle timeout, the mapping entry is removed and the user required to log in again. Max Timeout is the maximum time to track how long the session is active. When the Captive Portal expires, the session is terminated regardless of whether sessions are active or not, forcing the user to re-authenticate manually or from a session cookie.

Timeout values can be changed from the CLI or Web GUI. The maximum value allowed for both timers is 24 hours (1440 minutes).

From the CLI:

• Command to change idle timeout
  # set captive-portal idle-timer <value>
• Command to change max timeout
  # set captive-portal timer <value>

From the Web GUI:

• Go to  Device > User Identification > Captive Portal Settings
• Update the Idle Timer (min) value to change the Idle Timeout
• Update the Expiration (min) value to change the Max Timeout

owner: panagent