Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Clients in the captive portal VLAN must be able to reach the controller switch IP address or on the configured IP cp-redirect address, as described here.
VLAN 1: This VLAN contains the controller's switch IP address.
VLAN 3: This VLAN is configured for guest access. This unsecure VLAN connects to the inside of an Internet firewall that runs DHCP and default gateway services for this subnet. The firewall assigns clients IPs from the 192.168.1.0/24 range of IP addresses. The Aruba controller is assigned 192.168.1.200 on VLAN interface 3.
On VLAN 3 guests are able to connect and receive an IP address from the firewall. The problem is that when captive portal is enabled, it is using an address from secure VLAN 1 (https://10.1.1.20) rather than the address from the guest VLAN 3 (192.168.1.200). The IP address from VLAN 1 is not accessible to the hosts on VLAN 3 (by design). Therefore captive portal authentication is failing.
Solution
The interface used by captive portal can be configured from CLI as in the following example:
(Aruba6000-wifi) #config t
(Aruba6000-wifi) (config) #ip cp-redirect-address 192.168.1.200
(Aruba6000-wifi) #exit
The IP cp-redirect address is the IP address that the controller responds to captive portal requests on to bring up the page with the login query. Every VLAN that you add that you want to do captive portal must be able to route to that address.