There may be multiple reasons for the failure.
1: Incorrect Captive portal page mapped on the controller.
2: Incorrect ACL's defined on the controller.
3: No inter vlan routing enabled in between the guest network and CPPM.
1: Incorrect Captive portal page mapped on the controller.
On Clearpass Guest :
Navigate to Home » Configuration » Web Logins and verify the login page.
Click on "Test"and check the URL and view of the page.
Copy the URL of the page and compare it with the controller.
Navigate to "Security > Authentication > L3 Authentication"on the controller and verify that the same URL is mapped to our Captibe portal profile which we are using.
2: Incorrect ACL's defined on the controller.
We will have to check the ACL's defined for the Preauth Role.
Say, if my preauth role is "Guest", we can run the below CLI command
#show running-config and check the ACL''s mapped to this Role.
and verify that we have HTTP and HTTPS connectivity to the CPPM server.
ip access-list session captiveportal
user alias CPPM svc-https permit - missing will cause this error
user alias CPPM svc-http permit
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
Where CPPM is an alias for the CPPM server and could be added as below.
(NS-Aruba-3200)# configure terminal
(NS-Aruba-3200) (config) #netdestination CPPM
NS-Aruba-3200) (config-dest) #host 10.10.10.10
NS-Aruba-3200) (config-dest) #end
NS-Aruba-3200) # write memory
3: No inter vlan routing enabled in between the guest network and CPPM.
Make sure that we have enabled inter Vlan routing. For instance , say that the CPPM, Controller and AP are on Management Vlan ( Vlan 1) while the guest clients gets and ip from Vlan 10.
Ensure that the VLAN interface for the Guest network on the controller has an IP address assigned to it, otherwise the HTTP TCP SYN&ACK will take an asynchronous routing path which will not work.