Clearpass Captive Portal does not work on 1 particular controller

last person joined: 18 hours ago

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.

Back to discussions

Expand all | Collapse all

Clearpass Captive Portal does not work on 1 particular controller

Jump to Best Answer

This thread has been viewed 3 times

1. Clearpass Captive Portal does not work on 1 particular controller

Kudos

WiFi-CPP

Posted Oct 03, 2017 11:39 AM

I demoted a 7240 from master to local and now clearpass captive portal clients that terminate on this controller can't get internet access. The other 3 local controller works just fine.

When opening a browser, even after self registration, the client is always redirected back to the same login/registration page.

Here's the datapath session:

NOTE: I relabeled the IPs so it is clear which one they are.

(local-aruba-wc1) #show datapath session table 10.client-IP


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       			Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- 			--------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
134.local-DNS-IP   			10.client-IP    			17   53    31365  0/0     0    0   0   tunnel 2961 5    1          216        FI
134.local-controller-IP     10.client-IP    			6    8081  36016  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
10.client-IP    			54.230.87.216   			6    36016 443    1/15787 0    0   0   tunnel 2961 5    10         860        FNCI
54.230.87.216  				10.client-IP    			6    443   36018  0/0     0    0   0   local       5    9          6702       F
10.client-IP    			54.230.87.216   			6    36017 443    1/15787 0    0   0   tunnel 2961 5    10         860        FNCI
			
			
10.client-IP    			54.230.87.216   			6    36018 443    1/15787 0    0   0   tunnel 2961 5    11         912        FNCI
54.230.87.237   			10.client-IP    			6    443   34369  0/0     0    0   0   local       5    9          6718       F
134.local-controller-IP     10.client-IP    			6    8081  34370  0/0     0    0   0   tunnel 2961 5    9          6718       FSI
134.local-controller-IP     10.client-IP    			6    8081  34372  0/0     0    0   0   tunnel 2961 5    9          6718       FSI
134.local-controller-IP     10.client-IP    			6    8081  39378  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
			
			
134.local-controller-IP     10.client-IP    			6    8081  39380  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
10.client-IP    			134.local-DNS-IP    		17   18452 53     0/0     0    0   1   tunnel 2961 e    1          58         FCI
134.local-DNS-IP    		10.client-IP    			17   53    23931  0/0     0    0   0   tunnel 2961 5    1          355        FI
10.client-IP    			134.local-DNS-IP 		    17   26262 53     0/0     0    0   1   tunnel 2961 b    1          62         FCI
134.local-DNS-IP    		10.client-IP    			17   53    26262  0/0     0    0   1   tunnel 2961 b    1          119        FI


10.client-IP    			134.local-DNS-IP    		17   12032 53     0/0     0    0   1   tunnel 2961 e    1          66         FCI
10.client-IP    			134.local-controller-IP     6    50592 8081   0/0     0    0   1   local       f    0          0          FY
134.local-DNS-IP    		10.client-IP    			17   53    13345  0/0     0    0   1   tunnel 2961 e    1          120        FI
134.local-DNS-IP    		10.client-IP    			17   53    2021   0/0     0    0   1   tunnel 2961 e    1          133        FI
54.192.87.254   			10.client-IP    			6    443   35104  0/0     0    0   0   local       5    10         6754       F


10.client-IP    			134.local-DNS-IP    		17   13345 53     0/0     0    0   1   tunnel 2961 e    1          62         FCI
134.local-controller-IP     10.client-IP    			6    8081  35103  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
10.client-IP    			134.local-controller-IP     6    35685 8081   0/0     0    0   0   local       5    0          0          FY
10.client-IP    			134.local-controller-IP     6    36017 8081   0/0     0    0   0   local       5    0          0          FY
104.16.27.235   			10.client-IP    			6    443   35685  0/0     0    0   0   local       5    9          6702       F


54.192.87.254   			10.client-IP    			6    443   35105  0/0     0    0   0   local       5    10         6754       F
10.client-IP    			134.local-controller-IP     6    36016 8081   0/0     0    0   0   local       5    0          0          FY
10.client-IP    			134.local-controller-IP     6    36018 8081   0/0     0    0   0   local       5    0          0          FY
134.local-controller-IP     10.client-IP    			6    8081  39379  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
72.21.207.136   			10.client-IP    			6    443   39377  0/0     0    0   0   local       5    9          6702       F


10.client-IP    			134.local-DNS-IP    		17   13182 53     0/0     0    0   0   tunnel 2961 5    1          64         FCI
134.local-DNS-IP    		10.client-IP    			17   53    25780  0/0     0    0   1   tunnel 2961 e    1          124        FI
134.local-DNS-IP    		10.client-IP    			17   53    26025  0/0     0    0   1   tunnel 2961 5    1          455        FI
134.local-controller-IP     10.client-IP    			6    8081  34371  0/0     0    0   0   tunnel 2961 5    9          6718       FSI
52.24.144.52    			10.client-IP    			6    443   60702  0/0     0    0   0   0/0/5       5    0          0          FDC


10.client-IP    			104.16.27.235   			6    35685 443    1/15787 0    0   1   tunnel 2961 5    10         1171       FNCI
10.client-IP    			134.local-DNS-IP   			17   31365 53     0/0     0    0   1   tunnel 2961 5    1          67         FCI
10.client-IP    			134.local-DNS-IP    		17   21527 53     0/0     0    0   1   tunnel 2961 5    1          59         FCI
134.local-controller-IP     10.client-IP    			6    8081  35106  0/0     0    0   1   tunnel 2961 5    9          6702       FSI
134.local-DNS-IP    		10.client-IP    			17   53    18452  0/0     0    0   1   tunnel 2961 e    1          133        FI


192.243.232.36  			10.client-IP    			6    443   49650  0/0     0    0   0   0/0/5       3    4          372        FDC
72.21.91.97     			10.client-IP    			6    443   45029  0/0     0    0   0   0/0/5       8    0          0          FDC
192.243.232.58  			10.client-IP    			6    443   38166  0/0     0    0   0   0/0/5       3    4          372        FDC
192.243.232.58  			10.client-IP    			6    443   38170  0/0     0    0   0   0/0/5       3    4          372        FDC
192.243.232.58  			10.client-IP    			6    443   38167  0/0     0    0   0   0/0/5       3    4          372        FDC


10.client-IP    			173.194.203.188 			6    34656 5228   0/0     0    0   0   tunnel 2961 2    1          60         FDYC
192.243.232.36  			10.client-IP    			6    443   49651  0/0     0    0   0   0/0/5       3    4          372        FDC

(local-aruba-wc1) #

Thanks.

2. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
EMPLOYEE

cappalli
Posted Oct 03, 2017 12:07 PM

Reply Reply Privately
Are you using the same captive portal certificate on every controller? (recommended)
What do you have set for the network login address in the guest login configuration?
3. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
WiFi-CPP
Posted Oct 03, 2017 12:28 PM

Reply Reply Privately
Different for all 4 locals but there is a script on clearpass that should fix this. The x.x.2.50 is the the local controller that doesn't work.

{if !$extra_fields.cn} {if $extra_fields.switchip == "x.x.2.50"} {assign var="hostname" value ="local-controller-aruba-wc1.csu.net"} {elseif $extra_fields.switchip == "x.x.2.54"} {assign var="hostname" value ="local-controller-aruba-wc1.csu.net"} {elseif $extra_fields.switchip == "x.x.2.58"} {assign var="hostname" value ="local-controller-aruba-wc2.csu.net"} {elseif $extra_fields.switchip == "x.x.2.62"} {assign var="hostname" value ="local-controller-aruba-wc2.csu.net"} {else} {assign var="hostname" value =$extra_fields.switchip} {/if} <meta http-equiv="refresh" content="0;url=/guest/{$script_name}.php?switchip={$hostname|rawurlencode}&cn=1&_browser=1"> {/if}
4. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
EMPLOYEE

cappalli
Posted Oct 03, 2017 12:34 PM

Reply Reply Privately
1. Doing it that way is really not recommended
2. What is the output of "show datapath fqdn" from that controller?
5. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
WiFi-CPP
Posted Oct 03, 2017 12:39 PM

Reply Reply Privately
Thanks for the quick reply

1) What's the best way?
2) It shows the controllers hostname + csu*.net
6. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
EMPLOYEE

cappalli
Posted Oct 03, 2017 12:44 PM

Reply Reply Privately
1) Use the same generic captive portal certificate on all of your controllers

2) Does that match what is configured in ClearPass?
7. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
WiFi-CPP
Posted Oct 03, 2017 12:49 PM

Reply Reply Privately
1) Would this show HTTPS errors? We try not to let clients see 'error' stuffs if possible.
2) Yes, this is exactly what's on the script.

thanks.
8. RE: Clearpass Captive Portal does not work on 1 particular controller
Best Answer

0 Kudos
EMPLOYEE

cappalli
Posted Oct 03, 2017 12:54 PM

Reply Reply Privately
1. No, it wouldn't
2. Best to open a TAC case then
9. RE: Clearpass Captive Portal does not work on 1 particular controller

0 Kudos
WiFi-CPP
Posted Oct 03, 2017 12:57 PM

Reply Reply Privately
I will. Thanks.
10. RE: Clearpass Captive Portal does not work on 1 particular controller
Best Answer

0 Kudos
WiFi-CPP
Posted Oct 04, 2017 02:52 PM

Reply Reply Privately
UPDATE:

The problem all this time is mismatched RADIUS key between the controller and clearpass.

Wireless Access

Clearpass Captive Portal does not work on 1 particular controller

1. Clearpass Captive Portal does not work on 1 particular controller

2. RE: Clearpass Captive Portal does not work on 1 particular controller

3. RE: Clearpass Captive Portal does not work on 1 particular controller

4. RE: Clearpass Captive Portal does not work on 1 particular controller

5. RE: Clearpass Captive Portal does not work on 1 particular controller

6. RE: Clearpass Captive Portal does not work on 1 particular controller

7. RE: Clearpass Captive Portal does not work on 1 particular controller

8. RE: Clearpass Captive Portal does not work on 1 particular controller Best Answer

9. RE: Clearpass Captive Portal does not work on 1 particular controller

10. RE: Clearpass Captive Portal does not work on 1 particular controller Best Answer

8. RE: Clearpass Captive Portal does not work on 1 particular controller
Best Answer

10. RE: Clearpass Captive Portal does not work on 1 particular controller
Best Answer