First, make sure your clients can resolve DNS, which is crucial to them being able to bring up the page.

Second, if the master side of the tunnel is untrusted the clients get redirected to the "ip cp-redirect-address" on the master controller and that needs to be reachable.

Third, Make sure the AAA profile on either side does not have "Enforce DHCP" just as a troubleshooting step.

Hi Joseph,

Thank you for your response.

Answer to first question:

Yes clients are able to resolve the DNS and can also ping the domain names such as google.com or yahoo.com. But they do not get a captive portal until I define an IP on the Vlan interface. In my case I have an IP on vlan on both that is master controller and on local controller.

Answer to Second question:

Yes the clients can reach to cp-redirect-ip which is the master controller IP. I have also manually added cp-redirect-ip to my local controller which is the master controller IP. Do you think this could be because of PEF on local controller?

Answer to Third Question:

Enforce DHCP is disabled on both ends.

Thanks.

On the master controller, see if you can ping the client.  When the client is opening  a web page, do a "show datapath session table <ip address of client>" to see what it is doing at the time.

Do NOT point the ip cp-redirect of the local to the master.  That will only work for untrusted traffic at the local controller and should not be pointed to the master.

When you say PEF on the local controller, what do you mean?

Thanks for your prompt response.

I am not able to ping the client from the master controller. However I can see that client is maintaining a tunnel from local controller to master controller and hopefully the sessions are flowing from that tunnel. Also, I see that the roaming status is wired under master controller. Which again shows that the client data is flowing from master controller.

By PEF on local controller I mean that may be when I remove IP from the vlan interface, it is PEF which is blocking the captive portal page from the master controller to come up??

The command you told me, shall i try to run it now or after removing the IP from the vlan interface? And then try to connect to get the captive portal for authentication?

show datapath session table < ip address of client>

Hi,

When I do the datapath session command on master controller for that client i get nothing. But when I ran it on local controller on which client is connected, I got following

RC-Aruba-620) #show datapath session table 172.16.235.245

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
172.16.235.245 62.75.246.130 6 64914 5938 0/0 0 0 0 tunnel 19 c FDYC
172.16.235.245 74.125.237.136 6 64912 80 0/0 0 0 0 tunnel 19 20 NYCI
172.16.235.245 74.125.237.137 6 64915 80 0/0 0 0 0 tunnel 19 b NYCI
192.168.100.15 172.16.235.245 6 8080 64915 0/0 0 0 1 tunnel 19 b S
192.168.100.15 172.16.235.245 6 8080 64912 0/0 0 0 1 tunnel 19 20 S

192.168.100.15 is my local controller and 192.168.100.17 is master controller.

The initial user role is Hotspot-guest-logon

and rights are as follows:

Derived Role = 'Rosmini_Hotspot-guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 35/0
Max Sessions = 65535

Captive Portal profile = Rosmini_Hotspot-cp_prof

access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal

logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

And yes the user role on master controller is authenticated and status is wired.

Thank you for your support Joseph. It is much appreciated.

No problem.