Security

Hello all, we're having an odd issue and after a 4 hour call with support, we're waiting to hear if they can figure it out. Maybe someone here has dealt with it before.

We have a guest SSID with a captive portal. Config'd so that the portal just has an "I accept" button. Upon accepting, the guest users have access to internet sites, but not internal sites. The issue is that if a device sleeps/restarts or otherwise loses connectivity, it will switch to "No IP address" or a 169 address for 48 or 68 seconds once it tries to reconnect, at which time it will get its former IP address. If we add "allowall" as the final rule in our user-role, this stops happening and they immediately reconnect. Support recommended leaving "allowall" enabled to fix the problem, but from a security side we'd like to avoid that and find the specific "thing" that it's allowing that we need to explicitely define.

Our current role created during the support call, and it is:

1. cplogout

2. Guest-Internet-Only

    a. Allow dns

    b. Allow internal subnet for webpages

    c. Allow multicast/airplay/Clearpass 

    d. Deny internal subnets 

    e. Allow web traffic

    f. Deny ICMP for internal, allow ICMP for external

3. allowall

Not sure if you forgot to include it but do you have allow DHCP in the ACL rules ?

Thank you cjoseph and victorfabian! Looks like we overlooked the super simple when we remade the role. Must've been too focused on getting the captive portal and clearpass to play nicely