Captive Portal authentication is required, even if Timeout of Session Cookie is enabled
10172
Created On 07/01/20 09:55 AM - Last Modified 06/07/25 02:40 AM
Symptom
- Captive Portal Redirect mode provides for the use of session cookies, which enable the user to continue browsing to authenticated sites without requiring re-mapping by user authentication each time the timeouts expire.
- However, depends on the configuration, authentication is required by Captive Portal again, even if Session Cookie is enabled and it is not timed out.
Details:
- Configure Captive Portal.
- Enable "Session Cookie" under [Device] > [User Identification]
- Create customized web-form to Authentication Enforcement under [Objects] > [Authentication], and select web-form as an "Authentication Method"
- Apply the Authentication Enforcement above to [Policies] > [Authentication] > [<Policy Name>] > [Actions] > [Authentication Enforcement]Apply the Authentication Enforcement above to [Policies] > [Authentication] > [<Policy Name>] > [Actions] > [Authentication Enforcement]
Environment
- Palo Alto Firewall.
- PAN-OS 8.0,8.1, 9.0
- Captive Portal with Session Cookie Configured.
Cause
Session Cookie to be honored only predefined "default-web-form" has to be used in Authentication Enforcement.
This is by design.
Resolution
- Select default-web-form (predefined) in "Authentication Enforcement" under [Policies] > [Authentication] > [<Policy Name>] > [Actions] > [Authentication Enforcement]
- In the default-web-form, you are not able to select "Authentication Profile". Select appropriate "Authentication Profile" under [Device] > [User Identification] instead.