Greetings. I apologize in advance if this is not explained very well, but was hoping to find out if anyone has seen similar behavior or know a workaround to what we are experiencing with an inherited IAP deployment we have in the field.
High level setup: Multiple cookie cutter IAP hotspot deployments with external captive portal
Config info:
We have external captive portal configured with radius
We have our IAP auth role configured with firewall rule of allow any any
Firewall rule is network based, not role based. The only role is the auth rule of allow any any
What should happen is, end user connects to SSID and gets assigned the Aruba default External CP role
The end user then makes an HTTP request and should get redirected to the captive portal.
Once the captive portal is processed, the radius server sends the auth to the IAP, which then puts the user in the Auth role thus allowing outside access.
This scenario works perfectly fine except for in 2 of our locations/deployments. What we have been seeing in these 2 locations, is end users are associating to SSID, making HTTP requests, but are getting stuck in the External CP role and are never presented with a captive portal. We have found that the only action we take that corrects it, is to have the end user "forget this network", then re connect. Simply disconnecting and reconnecting does not work, the user must forget the network.
We compared the "bad" locations with "good" locations and confirmed their configurations are 100% the same (aside from minor housekeeping things such as device name). The only difference between the good locations and bad locations is firmware version. The "bad" locations are on firmware 6.3.1.2, while the "good" locations are on older firmware 6.2.1.0.
Any insight would be greatly appreciated.
Thanks!