Enforce GlobalProtect for Network Access blocks 'Captive Portal' enabled for Wi-Fi access

Enforce GlobalProtect for Network Access blocks 'Captive Portal' enabled for Wi-Fi access

30726
Created On 10/07/22 19:05 PM - Last Modified 10/11/22 19:14 PM


Symptom


Enforce GlobalProtect for Network Access blocks Captive Portal enabled for Wi-Fi access even when the "Captive Portal Exception Timeout" has not elapsed yet.

Sequence of events for when the issue is triggered:
  • The user boots up the device at a new (hotel,airport,café... etc) where captive portal is enabled for network access.
  • Wi-Fi network has not been enabled yet.
  • GlobalProtect launches and tries to connect to the portal per its usual workflow.
  • Connection to the portal and captive portal detection will fail at this point since the Wi-Fi connection has not been enabled.
  • GlobalProtect is unable to establish a connection and captive portal login fails and times out, the "Enforce GlobalProtect for Network Access" will now block the user from using the network.
  • The user then connects to Wi-Fi but is not able to open captive portal to login since the network is blocked. 

Environment


  • GlobalProtect
  • Enforce GlobalProtect for network  connection (enabled)
  • Wi-Fi networks on which captive portal has been enabled such as (hotels,airports,cafés)
  • Captive Portal Exception Timeout

Cause


The Captive Portal Exception Timeout will not take into affect unless:
1. GlobalProtect connects to the portal and retrieves the configuration
2. The GlobalProtect client uses the cached portal configuration on the user machine.

 

Resolution


Since the network is unreachable in this case scenario, GlobalProtect has to retrieve the cached portal configuration using a username. In order to achieve this, configure either of the following:
  • SSO (single sign on), this would require the user to login using GlobalProtect's credential provider.
  • Network> Portal> Agent> Authentication> Save user credentials> Save username only.
This will allow globalprotect to use the username to retrieve the cached portal configuration which includes the "Captive Portal Exception Timeout" setting.

 

Additional Information


If SSO or "Save username only" is not configured then the user would have to re-initiate portal login and thereby re-trigger the captive portal login period, launch the GlobalProtect app and then select
 "Refresh Connection" from the app settings ( ) menu.

Reference:
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZT6CAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language