Hi
Hope someone can help...
We have a 3400 controller at our datacentre.
We have a several AP's at branch sites which connect via a MPLS back to our datacentre.
We have internet breakout via a VLAN configured on our ISP's router. i.e. traffic on this VLAN is allowed out via the ISPs firewall and does not need to be routed via a datacentre proxy as per internet traffic on our normal VLAN.
We have AP's using bridge mode successfully, and server derivation roles assigning VLANS where appropriate. This works great.
However I am trying to get Captive Portal working from a branch AP in the same way, i.e. the internet traffic uses the internet VLAN and does not need to travel back to the datacentre. With the exception of DHCP, devices on the internet VLAN are not able to route to the production network, where the controller and captive portal page sit.
With bridge mode on the VAP, I am able to get an IP, but the captive portal does not load, due to the lack of routing to the controller (intentional). So I assume I need split tunnel.
I am following the Captive Portal guide and have setup the following:
A Captive Portal Profile (standard settings - user login ticked) A new policy with the following configured: -local internet VLAN network configured to permit. -user/any action SRC-NAT (expecting any other traffic to SRC-NAT back to the controller)
A user role, configured with: -Logon-Control -Captive Portal -Policy as above
A AAA profile, with the intial role set to the role above. This AAA profile assigned to a VAP The VAP set to split tunnel, with the internet VLAN configured. The internet VLAN is tagged correctly on the switch.
However I cannot get an IP address, I just get cannot join network. No user role shows up in show user-table.
Should this work?
Many Thanks
Steve
#3400