09-02-2015 08:40 AM
I am being told of a very odd issue at only one site (we have CP deployed as a main server that supports multiple sites) where a user attempts to connect to our guest SSID which then presents them with the ClearPass Self-Registration Page where they fill in their details and click Continue, then it automatically authenticates them, and at this point it is supposed to pass them onto the Internet....But it is simply returning to the Self-Registration Page and never gets them onto the Internet.
I think I have seen this before, but I cannot figure out what might be causing this.
I have looked at the local controller and the VAP and AAA profiles set up for the guest network and they are exact copies of other sites where the guest network is working. I have checked Radius and determined that the local controller is in fact in the Radius server. I have checked ClearPass and verified that the local controller is in the ClearPass server in Devices as well.
Anywhere else I might want to start looking to figure out what's causing this?
09-02-2015 10:45 AM
You can take a look at a couple of things:
- Look for the the device mac address in the Access Tracker and see if you find anything related to authentication failure
- Make sure that the ClearPass server group is in the Layer 3 Captive Portal Profile.
- Make sure that the radius pre-shared key is correct in the controller and clearpass.
- Are you enforcing under the Enforcement Policy that only a certain amount of devices per user are allowed ?
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
09-02-2015 12:05 PM
I was not seeing any authentication attempts, so I removed it from the Devices list and then re-added it back by using a copy of a known good client and now it is working. Thank you!
09-02-2015 12:20 PM
If it was an incorrect shared key you'd see that in the event viewer.
I saw this another time during the early stages of a deployment. Client could register and you'd see it in access tracker, but wouldn't get put into the correct role and the potal page would show again. Turns out it was a routing issue and the radius response wasn't getting back to the controller (the radius traffic can take a different path to the client captive portal traffic). Not the same issue you had, but symptoms the same.....something else to look out for.
If my post is helpful please give kudos, or mark as solved if it answers your post.
ACCP, ACMP, ACMX #294