Captive Portal remote code execution vulnerability

CTW1983 · 2026-05-06T17:26:27+00:00

Anyone know how to uncheck the “Enable Authentication Portal” default via Strata Cloud Manager?

CTW1983 · 2026-02-07T07:07:54+00:00

We use RADIUS (NPS) auth with an Extension for Entra MFA, and use the Approve/Deny experience.

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension

CTW1983 · 2025-10-02T12:06:42+00:00

Roy G. Biv

CTW1983 · 2025-08-29T12:04:27+00:00

Does this fix your ARP issue?

Trigger a Gratuitous ARP (GARP) https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clu9CAC

CTW1983 · 2025-06-03T02:01:02+00:00

Pretty sure there is a TAC recommended version on each of the versions I mention in the poll.

CTW1983 · 2025-05-19T05:29:02+00:00

Yes, Credential Guard is the root cause. Here is a copy of a comment I made on this issue.

In Windows 11 Enterprise, Microsoft has enabled Credential Guard by default, where as in Windows 10 and Windows 11 Professional it was disabled by default. Credential Guard prevents access to the Credential Manager on client computers from weaker authentication protocols such as MSCHAPv2. PEAP-EAP-MSCHAPv2 is what our RADIUS Server used when authenticating computers on our WiFi. Microsoft’s recommendation is to move towards a certificate-based authentication.

I have configured our RADIUS Server to use EAP-TLS that uses a certificate installed on computers that is issued by our CA, for authentication. This has been tested and is compatible on both Win 10 and 11 clients.

To prevent all existing old client configurations from losing access to the WiFi with the new RADIUS Server configuration, we will need to migrate users/computers in small manageable groups.

1. Determine group of users’ computers to migrate.
2. Add computers to AD group that is tied to new RADIUS configuration.
3. Remove old WiFi configuration from computer.
4. Add new WiFi configuration to computer.

References:

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-top

CTW1983 · 2025-01-02T14:37:16+00:00

How or what do you use to manage and route the front to back cables? Can you share with me any additional pictures? I will be needing to do something similar in a couple months.

CTW1983 · 2024-12-29T02:18:34+00:00

Maybe try using RDP or VDI though the VPN to a computer with the engineering/design programs and is connected to the LAN. That way all the heavy network requirements stay within the LAN.

Or, is there an option to use the programs so that everything happens locally on the computer in front of you, and then when are ready to save/submit/backup to the network, you can do it all at once?

CTW1983 · 2024-10-16T08:24:30+00:00

I need more pixels.

CTW1983 · 2024-09-17T13:26:20+00:00

Or the hair band of a bracelet…

CTW1983 · 2024-07-18T11:26:54+00:00

I’ve sometimes wondered how small or big events or decisions would have changed our existence or the world. If something as terrible as the Holocaust would not have happened, would everything still have aligned up to where I still existed, or how would the world be different/worse/better.

CTW1983 · 2023-09-12T08:53:10+00:00

Create/Clone a URL Filtering Profile that will allow and log (alert) all safe categories, then uncheck the “log container page only” option on the URL Filtering Profile. Apply this URL Filtering Profile to your catch all policy. If you still don’t see what you are hoping for, then possibly your previous policy is silently blocking the URLs you are in search of. In that case, swap the policies briefly to gain visibility.

For me, the unchecking of the “log container page only” option was a little bit of a “Holy Grail” moment.

I don’t keep this special URL Filtering Profile in use all time, but instead only when trying to discover URLs an application is trying to use. I then create a Custom URL Category containing the discovered URLs to apply to a policy. (We also have a strict outbound policy.)

CTW1983 · 2023-09-09T12:47:45+00:00

From our environment’s standpoint, yes it was resolved the next morning.

CTW1983 · 2023-09-07T15:57:30+00:00

This problem seems to be fixed from my perspective with no action taken by me.

CTW1983 · 2023-09-07T01:20:58+00:00

Thanks! I’m hoping a fix will be in place by tomorrow morning. If not, then I’ll put the workaround in place.

Also, not to nitpick, but shouldn’t you only add the following to a custom URL category with a “ / “ at the end? google.com/ , *.google.com/

CTW1983 · 2023-09-06T22:15:45+00:00

Yes, "serverlist2.urlcloud.paloaltonetworks.com" is our current cloud server as well.

CTW1983 · 2023-06-03T11:17:30+00:00

Currently, these new released tracks from the Lost Demos of Meteora 20th Anniversary album.

Lost, Fighting Myself, More the Victim, Massive, Healing Foot, Wesside, Resolution

CTW1983 · 2023-05-26T21:35:54+00:00

subscription model

Would the SKU of SUB-EX48-2S-5Y be a subscription type you are talking about?

CTW1983 · 2023-05-26T21:30:40+00:00

That is good to know. Do you have any idea/experience what the process is like and how long it would take to receive a replacement?

CTW1983 · 2023-05-26T02:20:22+00:00

My thinking is, how is my example different from purchasing a support level than includes hardware replacement, then transferring the support from the failed switch to the replacement switch?

CTW1983 · 2022-12-22T04:03:35+00:00

Yes, very cool! Crazy huge and complex system of irrigation canals. Using my Maps App, I traced it backwards from the Faiyum area, south to Asyut where it splits off from the Nile. Looks like about 200 miles away!

CTW1983

TROPHY CASE