Captive Portal Authentication Loop

Captive Portal Authentication Loop

505
Created On 02/22/23 10:24 AM - Last Modified 10/29/25 19:31 PM


Symptom


  • Captive Portal Authentication Rule hits are triggering reauthentication
  • This happens multiple times after successful authentications
  • A delay between 'Factor Completion Time' and 'Receive Time' is seen in the Monitor > User-ID log for non-captive portal logins
Data Source    Receive Time           Factor Completion Time
agent          2023/02/20 03:58:34    2023/02/20 04:01:00
  • The following error message is seen in the useridd.log when user-id is set to debug
2023-02-20 04:15:08.324 +0000 debug: pan_user_id_ipusers_mp_table_add(pan_user_id_ipuser.c:424): Ignore outdated or duplicate ip-user adding for ip 10.10.10.10, uid 1010 : login time 1676866650 is older than or equal to 1676866650

Environment


  • Captive Portal Authentication Rules
  • Multiple User-ID sources
  • All PAN-OS Versions

Cause


The receive time lagging behind the Factor Completion Time indicates that there is a time difference between the User-ID source and the Firewall. Using the 'show ntp' command, the NTP state is showing as not synched. 
> show ntp

NTP state:
    NTP not synched, using local clock
    NTP server: 10.10.10.254
        status: rejected
        reachable: no
        authentication-type: none

This is causing a time difference between the locally generated IP Mappings, and the IP Mappings coming from Active Directory. Because the firewall is lagging 3 minutes behind, the agent-based mapping will be 3 minutes in the future according to the Firewall's time. This causes any new locally generating mappings to be ignored in those 3 minutes, as they are older than the current entry.

Resolution


  1. Use 'show clock' on the firewall and compare this to an external time source to check whether the Firewall time is correct or not
  2. If the firewall is not in sync, configure NTP and confirm NTP reachability Configure Authenticated NTP on Palo Alto firewalls - Knowledge Base - Palo Alto Networks
  3. If the firewall time is correct, check the time on the Active Directory Domain Controllers and resolve any time synchronisation issues
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sawJCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail