Wireless Access

Reply
Contributor II

[AOS8] Automatic Captive Portal redirect works partially

Hi guys,

 

I was just playing around with some AOS8 code (8.3.0.1) and ran into a strange behaviour. Until now I have no clue whats wrong.

Here is my test-setup:

There are two redundant vMM with two MD (7010) connected to them. 
I have a Guest SSID which is redirecting to a Clearpass Cluster. Both (Controller and CPPM) have official (trusted) certs installed. The cert on the Controller is bound in the web-server profil as the captive portal cert.
I have a Role which redirects the device to the captive portal with all necessary Policies.
So far so good (i thought) :)

I tested the guest network with an iPhone 6s, iPhone 6 and 7 (all got the same IOS version). All of them were working fine. I connected to the SSID and got the automatic redirect to the external captive portal - and i can login properly.

So I tested it with an iPhone 8 and iPhone X. With these two devices I didn't get redirected to the cp. They have the same IOS version as the other test devices. The manual redirect (browse a webpage in the browser) doesn't work either - but when I enter the URL of the CPPM captive portal, I can reach it...

 

I don't have any clue in which way I can troubleshoot this behaviour any further.


Is anyone facing the same thing?

Network Engineer
ACCX | ACMP

Re: [AOS8] Automatic Captive Portal redirect works partially

Can you share your ACL rules under the role ?
Can you confirm that the device is getting the correct DNS server?
Can you reach clearpass using the IP instead of the dns name?
Did you enabled the apple CNA ?
Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: [AOS8] Automatic Captive Portal redirect works partially

Hey,

 

here are my answers of your questions:

 

Can you share your ACL rules under the role ?
initial user role: guest-selfreg-cppm-cp (logon-control, allow-cppm, captive portal). 

Logon-control and captive-portal are default policies. 
allow-cppm = allow http and https to CPPM IP(s)

 

Can you confirm that the device is getting the correct DNS server?

Yes, all of the dievices get the same DNS Server IP

 

Can you reach clearpass using the IP instead of the dns name?
yes, i can


Did you enabled the apple CNA?

no, not at the moment. but this afternoon for testing purposes - without any difference in the test result.

Network Engineer
ACCX | ACMP

Re: [AOS8] Automatic Captive Portal redirect works partially

Try moving up the captiveportal ACL

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: [AOS8] Automatic Captive Portal redirect works partially

[EDIT]

Hi just changed the order of the ACLs in the user-role but the behaviour is more or less the same. After I changed the order, the client isn't able to get to the captive-portal page because of a redirect loop.

 

I also tried to change the DNS name to an IP in the captive portal profile - without any impact.

Network Engineer
ACCX | ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: