10-31-2013 02:05 PM
I have a couple of sites acting oddly for our guest wireless network. This network is set up so that when you initally log in, you're put into a role where all http and https traffic are DNAT'd to the captive portal to accept our user agreement before they're placed in a general rule to allow outbound traffic.
Currently the gateway that the DHCP server hands out is terminated at our SRX. The Controller is on the same VLAN but is not the gateway that the DHCP server hands out.
The issue we're experiencing is that some sites (each site has their own AP group) will not load the captive portal, albeit its resolving DHCP. For the systems who's mac addresses that we've set up in a whitelist to bypass the captive portal, those systems work fine (communication, everything).
The SSID/VAP/AAA policies inside the AP Group for this site are the same as all the working sites.
There's one firewall between the controllers and the APs and the working APs have the exact same firewall policy that the non-working ones do.
At one site, provisioning the AP-105's as RAP's seems to have resovled the issue, but at another site, not even provisioning them in RAP mode fixes this issue (they exhibit the same behavior in both CAP and RAP modes).
Is there something I'm missing with how the captive portal is supposed to work that's inhibiting this?
10-31-2013 02:11 PM
is needed for redirects to work.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
10-31-2013 02:21 PM
Without asking you loads more questions about the topology, one thought occurs. But let's confirm my understanding first...
So based on what you've said, all guest users from all APs terminate on a VLAN out the back of the controller (having come from a tunnelled VAP). All the users go through the same role stages (pre-post portal "login"). And some users work just fine (so that suggests the captive portal on the controller is ok, as is the egress SRX firewall transit for guests).
So, there must be a difference between the AP connectivity from certain sites. You say switching to RAP fixed some sites but not all? If that's the case, for the ones not working, I'd suggest reducing the MTU in the AP system profile applied to the still-not-working RAPs. Sometimes intermediate firewalls will drop large packets. Either that, or look for drops in the firewall logs of the firewalls between the non-working APs and controllers? I see that a lot (Checkpoints, Palos, all getting far too clever).