Controllerless Networks

Tried a few different clients/browsers and no-one gets redirected to the captive portal URL.

You can type in the URL and go there directly though and login no problem, so fairly confident the Clearpass side is correct. Going to any other URL directly results in a blank page. Users have correct role 'guest-login' in Instant.

Pretty basic setup so not at all clear why this is not working.

wlan access-rule "Guest"
index 3
captive-portal external profile "Guest"
rule any any match any any any deny

wlan access-rule guest-guest
index 4
rule any any match any any any permit log

wlan access-rule guest-presenter
index 5
rule any any match any any any permit log

wlan access-rule guest-contractor
index 6
rule any any match any any any permit log

wlan access-rule guest-login
index 7
captive-portal external profile "Guest"
rule any any match any any any deny

wlan ssid-profile "Guest"
enable
index 1
type guest
essid "Guest"
opmode opensystem
max-authentication-failures 0
vlan guest
auth-server clearpass
set-role-pre-auth guest-login
set-role Aruba-User-Role value-of
rf-band all
captive-portal external profile "Guest"
mac-authentication
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
radius-reauth-interval 60
radius-accounting
radius-interim-accounting-interval 60
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan auth-server clearpass
ip 10.1.22.9
port 1812
acctport 1813
key <snip>
rfc3576
cppm-rfc3576-port 5999

wlan external-captive-portal "Guest"
server clearpass.<snip>.com
port 443
url "clearpass.<snip>.com/guest/login.php"
auth-text ""
auto-whitelist-disable
https

One thing you are missing is a rule allowing http/https to your clearpass server 

So added these rules and no change...can go direct but no redirect on any browser/platform.

Even weirder traffic is disregarding these rules anyway and being let straight through..

Sep 9 14:22:12 10.1.22.43 stm[1529]: <124006> <WARN> <10.1.22.43 24:DE:C6:C3:ED:3E> TCP srcip=172.31.98.3 srcport=60611 dstip=74.125.31.95 dstport=443, action=src-nat
Sep 9 14:22:12 10.1.22.43 stm[1529]: <124006> <WARN> <10.1.22.43 24:DE:C6:C3:ED:3E> TCP srcip=172.31.98.3 srcport=44743 dstip=173.194.72.95 dstport=443, action=src-nat

But the page still can't load. These logs are from a client with the guest-login role:

wlan access-rule guest-login
index 7
captive-portal external profile "Guest"
rule any any match udp 67 68 permit log
rule any any match udp 53 53 permit log
rule 10.1.22.9 255.255.255.255 match any any any permit log
rule any any match any any any deny log

And took 5 minutes to prove the clearpass config was correct with an ArubaOS version of the SSID. Instant fails to live up to it's name again.

In your config for the captive portal, for the url I believe you only need this, not the full path.

url /guest/login.php

Ah that was it.

Total misuse of the term URL and this is the doco for it with no examples:

"URL Enter the URL for the external captive portal server."

Frustrating to find time wasters like this.