Controllerless Networks

We have 2 SSID's one of which is an onboarding ssid which has a bunch of access rules and an enforced external captive portal. 

On our unfiltered SSID the dns requests for captiveportal-login.<ourdomain>.com get intercepted and resolve. On our onboarding ssid the dns requests to the captiveportal-login<ourdomain>.com just dont resolve

Obviously we need it to resolve as the external captive portal needs to be able to tell the AP's to allow the client to access the wireless. 

Perhaps we have it setup wrong - should we be using walled gardens rather than access rules for this? We are using cloudpath as our external captive portal. Ideally when the user is authenticated the access rules will stop applying

thanks!

Do you have an L3 interface on the controller for the vlan associated to SSID where DNS resolution is not working?

We have instant AP's so no controller. In saying that, how do I check for an L3 interface?

For what its worth, both SSID's are across all access points. They are on separate vlans and ip ranges but thats about it for differences other than the access rules

Since it is working for one SSID, I am assuming you have correct captive portal cert installed on the IAP.

For the initial role of non-redirecting SSID, are you allowing that role DNS access. If yes, probably worth checking if that is allowed to the correct DNS server (both SSIDs can be using different DNS servers).

Yes we are allowing DNS and normal web requests work. Both SSID's go to the same dns controllers. We are allowing DNS requests on the access rules

Here's an interesting addition: pinging setmeup.arubanetworks.com works for both SSID's (resolves to 10.0.8.11)

Pinging captiveportal-login.<mydomain> on the working SSID resolves to 172.31.98.1. On the non working it doesnt resolve at all. Is the 172.31.x.x ip a common ip with aruba? This is not one of our internal ip address ranges

OK.. So the 172.31.x.x subnet is IAP magic VLAN subnet. You will get an IP address from this subnet if your DHCP setting say "Virtual Controller Assigned".

Can you check the IAP captive portal certificate for me? Who is the issuer for it?

Appreciate the help so far!

The certificate I actually loaded in myself today and only because I couldn't get either SSID to respond to the default securelogin.arubanetworks.com entry. It's a wildcard publicly signed cert by comodo. Expires in 2021 and we use it for a range of other services as well

The clients on the guest SSID that doesn't work probably cannot access the CRL lists due to the access control. I wouldn't have thought that would have affected pings though

Also, both SSID's get ip address from the same dhcp server. Both are also set to network assigned

If you have a wildcard cert, setmeup.arubanetworks.com/securelogin.arubanetworks.com will become irelavent. Just make sure the redirect to captiveportal-login.yourdomain.com

DNS servers doesnt need to resolve captiveportal-login.yourdomain.com

Just to add, are you using ClearPass for guest portal?

If you are using a wildcard cert, on the ClearPass web login config you should use "captiveportal-login.domain.com" for the address field

We use cloudpath by Ruckus for onboarding. The system does redirect to captiveportal-login.<mydomain> but the onboarding network cant resolve that network. It only works on one of the SSID's

I realise we wont be able to able to resolve those on our normal dns servers as its the access points that intercept and respond to it. But in this case the onboarding SSID cant resolve it at all. The AP's dont seem to intercept that dns request for that particular SSID. Very odd

Can you re-add the captive portal cert and reload IAP cluster? I once ran into similar issue and readd cert/relaod worked like a charm.

How did you go? Any progress on this one?

Gave it a try - removed the certificate and rebooted the AP's. I could resolve securelogin.arubanetworks.com from the working SSID after I removed the cert but couldn't resolve it from my guest SSID. So the same symptoms occured when the cert was removed. I have left the cert off for now and have a TAC case opened to see if they can see why it's not working. Will let you know! 

Worked with TAC and this is not expected behaviour so its been escalated. 

Yup.. I guess we covered everything.. Probably hitting some bug or so.. Let us know how you go with TAC.