Problem:Users connecting to the Guest network configured for captive portal authentication are unable to pass traffic over a period of time.
Removing the user-mac address manually from the user-table and reconnecting the user to the Guest network again temporarily workaround the situation.
Diagnostics:-This behaviour has seen only on the Guest ssid configured for captive portal authentication.
-The user was with no IP address and was with 169.x.x.x (self-assigned IP) on the user's end during this behaviour.
-User has a successful association and assigned with the captive portal post authentication role in the user-table of the controller.
-Enabled DHCP debugging on the controller found DHCP-Discover, DHCP-offer on the controller's datapath however the user was assigned with no IP.
-After verifying the post authentication role where the user assigned in, the network where the DHCP server resides was denied.
-In order to verify this we did a "aaa user add x.x.x.x role" and assigned a role without any restriction, on the user's end he got a valid IP, able to pass the traffic without any issues.
SolutionIn the Captive portal post authentication role we have added "any any svc-dhcp permit" before the internal network deny acl has fixed the behavior.