Few things:
- It's strongly deprecated to switch VLANs in a guest scenario. Use role switches instead, but in the same VLAN. VLAN switching requires the device to do a DHCP and not all devices support that properly.
- It's strongly recommended to use 'Controller Initiated' when using Aruba WLAN (Instant or controller based); use Server initiated only in cases where there is no other alternative, like on wired or non Aruba. Controller Initiated works much more reliable and more smooth for the end-user. Yes, it requires a certificate on the controller/IAP, but the experience is just much better and with even one troubleshooting issue you get a return on your investment in a certificate.
Are you using Controller initiated?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 10, 2021 12:08 PM
From: Raymond Papaux
Subject: user cannot disconnect from SSID after CP authentication
Hello,
I'm setting up a captive portal SSID for visitors on a new aruba controller environment, which consists of a MM/VA and 2 physical 7205 controllers, running arubaOS 8.9.0.0. The captive portal is located on a CPPM cluster and is currently working fine for our legacy IAP cluster (being transitionned to the new arubaOS cluster).
But I'm facing a big issue. Once the guest has been registered onto the CP, when I switch OFF and ON the wifi on the wireless mobile, the device is not disconnected and swapped onto the visitor VLAN. In fact the MAC authentication service is never triggered from CPPM. Instead the CP slash page keeps recurring asking for the same visitor information.
I figured out this is due to the guest association with the SSID which is NOT cleared, and last 10mn before going away.
If I disconnect manually the guest on the monitoring controller, it reconnects to the visitor VLAN correctly.
So the issue seems to be related to guest sticky association to the SSID, not immediately cleared after the disconnection and reconnection.
Question : So within the tons of parameters available in these controllers, is there a way to modify this behaviour, to make it compliant with the IAP?
Extra question : The « disconnection » should normally be triggered by a ClearPass policy via a Radius CoA/Disconnect, but it is either not sent by CPPM, or NOT received by the controllers. How to troubleshoot this?
Any hints or suggestion is welcome.
Thanks in advance
Ray
------------------------------
Raymond Papaux
------------------------------