Update the network ACL on all of the ClearPass appliances. If that isn't the issue, not sure why ClearPass would be disallowing the connection, assuming you have the proper URL.
Original Message:
Sent: May 16, 2024 08:33 PM
From: networkrookie
Subject: AOS 8.10 bridge modes captive portal
Yes there was and the error actually confirms the deny action. I've added the IP range on allowed subnet however it's still coming up with the same error.
Any ideas?
Original Message:
Sent: May 16, 2024 10:03 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal
Is there a network ACL configured within ClearPass that doesn't include the remote network that the client device is in?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 15, 2024 11:38 PM
From: networkrookie
Subject: AOS 8.10 bridge modes captive portal
Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".
'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
I suspect the AP redirect is not happening in our case...
Original Message:
Sent: Nov 22, 2023 12:04 PM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal
For a bridge mode connection the AP has to do the redirect. Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".
Documentation is lacking because this feature was added for a particular requirement. AOS 8 bridge mode overall is not a recommended deployment.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 22, 2023 11:49 AM
From: PE89
Subject: AOS 8.10 bridge modes captive portal
MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.
Original Message:
Sent: Nov 22, 2023 11:15 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal
What is the MTU and underlying transport for the connection between the remote site and controller?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 22, 2023 11:08 AM
From: PE89
Subject: AOS 8.10 bridge modes captive portal
It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic.
Original Message:
Sent: Nov 22, 2023 11:00 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal
Operating an AP as a Campus AP over a WAN is not a supported deployment. AOS 8 expects a controller on the same LAN as the AP.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 22, 2023 10:55 AM
From: PE89
Subject: AOS 8.10 bridge modes captive portal
The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.
Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal
Why are you wanting to use bridge mode and captive portal? Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 22, 2023 04:40 AM
From: PE89
Subject: AOS 8.10 bridge modes captive portal
Hello,
According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).
Can someone give me the limitations on this?
Thanks!