01-02-2015 07:47 AM
I'm running around in circles here. Hope you guys can help.
- My IAP guest setup places guest users on a seperate VLAN that has no route to the internal network.
I have configured an external captive portal for the guest ssid.
I have created a role (pre-logon) that allows a sourcenat to the CPPM server.
If I connect to the guest ssid, I receive a correct network-issued IP address.
If I start a web browser and point it to a random site, I am redirected to the URL configured in the external caprive portal setting. The browser then times-out. No traffic is received from CPPM. The redirect is setup for http port 80, clearpass then should redirect to 443.
I can however ping the CPPM server.
If I test this in a vlan that is allowed to route to CPPM, all works fine. Somehow the IAP is not handling my traffic properly. Some config snippets below.
This is driving me nuts! Please help. Thank you!
wlan external-captive-portal Guest_portal_nl
wlan ssid-profile TQ_GUEST
captive-portal external profile Guest_portal_nl
auth-survivability cache-time-out 24
wlan access-rule TQ_GUEST
rule any any match any any any permit
wlan access-rule TQ_GUEST-PREAUTH
rule 10.220.207.9 255.255.255.255 match any any any src-nat
01-03-2015 06:25 PM
I have noticed this behaviour only with the latest IE. You will not see this issue with Firefox or with Chrome when port 80 is configured in IAP.
01-03-2015 06:32 PM
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
01-05-2015 12:46 AM
I have a macbook. tried it with Safari/Chrome 7 firefox.
CPPM has no toute to the guest network, hence the src-nat rule.
I fiddled around with 443 & 80, that did not seem to help. i'll try again tomorrow when I'm on site.
01-06-2015 11:54 AM
CPPM does have a route to the AP's management address (& the VC address).
We performed some wireshark traces (at both ends of the AP) and the AP does not seem to NAT the traffic. the source address is still the guest's machine and not the AP despite the srv-nat rule.
- If I let the AP assign IP addresses, it works like a charm. I wiresharked the DHCP offer packet. Nothing strange found.
- I addedd the CPPM hostname to the walled garden.
- I changed the src-nat rule to base itself on a domain (FQDN in this case) opposed to an ip address.
It now seems to work.
I will backtrack tomorrow, to see which change actually solved this and report back.