I have a couple of sites acting oddly for our guest wireless network. This network is set up so that when you initally log in, you're put into a role where all http and https traffic are DNAT'd to the captive portal to accept our user agreement before they're placed in a general rule to allow outbound traffic.
Currently the gateway that the DHCP server hands out is terminated at our SRX. The Controller is on the same VLAN but is not the gateway that the DHCP server hands out.
The issue we're experiencing is that some sites (each site has their own AP group) will not load the captive portal, albeit its resolving DHCP. For the systems who's mac addresses that we've set up in a whitelist to bypass the captive portal, those systems work fine (communication, everything).
The SSID/VAP/AAA policies inside the AP Group for this site are the same as all the working sites.
There's one firewall between the controllers and the APs and the working APs have the exact same firewall policy that the non-working ones do.
At one site, provisioning the AP-105's as RAP's seems to have resovled the issue, but at another site, not even provisioning them in RAP mode fixes this issue (they exhibit the same behavior in both CAP and RAP modes).
Is there something I'm missing with how the captive portal is supposed to work that's inhibiting this?