Security

Hello all,

 

I'm hoping someone can point me in the right direction.

 

We have a captive portal setup for guest wireless access that requires the user to accept our usage policy and provide an email address. While this works fine for our iPhone users, Windows and Apple laptops, the same cannot be said for our Android users. The captive portal never launches even when they open a browser and attempt to go to a web page.

 

Running a "show datapath session table" shows the Android device contacting the DNS server with flag "FYI" which I think means the DNS server is not responding. But other devices have no problem with reaching the DNS server so I don't think it's routing related.

 

Has anyone run into this before?

 

- Nina

Which version you got of firmware?

NighShade1,

 

We have version 6.1.3.5

Sounds like it might be an OCSP issue. Do you have HTTPS enabled in the captive portal profile; can you try it without it?      Are you seeing anything other than DNS looks up for that session?

 

If you can get there with HTTP only, then look to implement a rule to allow OCSP lookups in the login role.    There ar some posts on this forum for this.  You can also verify this is the case with Firefox on a Windows machine.

clembo,

 

We use HTTP for the captive portal redirect.

 

There is nothing else on the table besides DNS lookup.  Below is a typical output from an Anroid phone:

207.172.11.15 and 207.172.11.16 are the DNS servers

 

 

show datapath session table 192.168.210.203

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ -----
207.172.11.16   192.168.210.203 17   53    28434  1/4     0 96  0   tunnel 2617 4    0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.15   192.168.210.203 17   53    30412  1/4     0 96  1   tunnel 2617 16   0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.15   192.168.210.203 17   53    2408   1/4     0 96  1   tunnel 2617 16   0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.15   192.168.210.203 17   53    1699   1/4     0 96  1   tunnel 2617 13   0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.16   192.168.210.203 17   53    7799   1/4     0 96  1   tunnel 2617 11   0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.16   192.168.210.203 17   53    55661  1/4     0 96  1   tunnel 2617 e    0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.15   192.168.210.203 17   53    54624  1/4     0 96  1   tunnel 2617 9    0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.16   192.168.210.203 17   53    35976  1/4     0 96  1   tunnel 2617 11   0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.15   192.168.210.203 17   53    38106  1/4     0 96  1   tunnel 2617 2    0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.16   192.168.210.203 17   53    47276  1/4     0 96  1   tunnel 2617 e    0      0      FYI
                                                  0/0     0 0   0   local                         
207.172.11.15   192.168.210.203 17   53    45076  1/4     0 96  2   tunnel 2617 13   0      0      FYI
                                                  0/0     0 0   0   local                         
192.168.210.203 207.172.11.15   17   30412 53     1/2     0 96  1   tunnel 2617 16   418    d0bf   FCI
                                                  0/0     0 0   0   local                         
192.168.210.203 207.172.11.16   17   28434 53     1/2     0 96  1   tunnel 2617 4    418    d0bf   FCI
                                                  0/0     0 0   0   local                         
192.168.210.203 207.172.11.16   17   7799  53     1/2     0 96  0   tunnel 2617 11   418    d0bf   FCI
                                                  0/0     0 0   0   local                         
192.168.210.203 207.172.11.15   17   1699  53     1/2     0 96  0   tunnel 2617 13   418    d0bf   FCI
                                                  0/0     0 0   0   local                 

have you tried to do DNS lookups with an app which allows this? do they resolve? if not, might it be an idea to test with different DNS servers, perhaps the public ones from google? beyond that you might want to capture at the DNS server side to check for anything odd. it is weird this just happens on android, does it happens on all android devices?

Boneyard,

 

Thanks for your response. Some Android devices work fine others don't. I'll gather more information from the users to determine the Android OSes that are failing to load the Captive Portal and do some further testing.

Just4now88 if this is critical, please open a support case asap to get this troubleshot in parallel since the solution could be very involved and depend on personal information that cannot be shared in this forum.

I have had the same issue with iOS 6 devices. TAC could not figure it out.  I would like to know what TAC says to this issue.