Wireless Access

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

In the first instance, when the client is placed in the User Role can it manually browse to the Captive Portal or even reach the IP of the Captive Portal from its VLAN?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Thanks for the info, do you know if it should work with tagged vlan, or only the native vlan?

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Haven't seen that mentioned, shouldn't matter.  Clients are never expected to be pulling an IP address from the same VLAN as the AP is managed from.

Thanks for the info, do you know if it should work with tagged vlan, or only the native vlan?

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".

'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
I suspect the AP redirect is not happening in our case...

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Is there a network ACL configured within ClearPass that doesn't include the remote network that the client device is in?

Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".

'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
I suspect the AP redirect is not happening in our case...

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Yes there was and the error actually confirms the deny action. I've added the IP range on allowed subnet however it's still coming up with the same error.

Any ideas?

Is there a network ACL configured within ClearPass that doesn't include the remote network that the client device is in?

Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".

'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
I suspect the AP redirect is not happening in our case...

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Update the network ACL on all of the ClearPass appliances.  If that isn't the issue, not sure why ClearPass would be disallowing the connection, assuming you have the proper URL.

Yes there was and the error actually confirms the deny action. I've added the IP range on allowed subnet however it's still coming up with the same error.

Any ideas?

Is there a network ACL configured within ClearPass that doesn't include the remote network that the client device is in?

Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".

'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
I suspect the AP redirect is not happening in our case...

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!

Hmm I checked the other clearpass server and the ACL has been applied as well. So far below is what happens when I attempt to join

1. Client device gets an IP from the local network
2. Redirect page doesn't come up automatically
3. Manually typing in the URL brings up the splash page however error 404 comes up after clicking continue

Done a session with TAC, "show acl hits" doesn't show any entry for the user role for the WLAN. Can you please describe the IP packet flow for this setup so I can check the firewalls on my end? Does the client traffic get natted to the WAP AP when the redirect page is accessed?

Update the network ACL on all of the ClearPass appliances.  If that isn't the issue, not sure why ClearPass would be disallowing the connection, assuming you have the proper URL.

Yes there was and the error actually confirms the deny action. I've added the IP range on allowed subnet however it's still coming up with the same error.

Any ideas?

Is there a network ACL configured within ClearPass that doesn't include the remote network that the client device is in?

Can I please have clarity on this? I'm currently trying to deploy this setup and we can't get the splash page from clearpass to automatically come up. Manually inputting the URL on a browser shows the page but ends up with an error "404 not found user not allowed".

'm checking the logs on the firewall between sites, should I looking SRC=AP IP address and DST=Clearpass IP?
I suspect the AP redirect is not happening in our case...

For a bridge mode connection the AP has to do the redirect.  Make sure the user role applied to the session for login purposes has the "captiveportalbridge" access-list applied rather than the usual "captiveportal".

Documentation is lacking because this feature was added for a particular requirement.  AOS 8 bridge mode overall is not a recommended deployment.

MTU is 1518, but I dont think this is relevant as we can browse to the Captive portal on DNS manually and it works fine. It's just the redirection that isnt working. What device should do the redirection? Is it the AP or the controller? The documention is very lacking on this front.

What is the MTU and underlying transport for the connection between the remote site and controller?

It's not an WAN, it is still an MPLS site, but the MPLS is too low to also handle the guest traffic, but there is a seperate internet link that we would use to handle guest http traffic. 

Operating an AP as a Campus AP over a WAN is not a supported deployment.  AOS 8 expects a controller on the same LAN as the AP.

The customer only has 1 remote site, and thus would imply 2 configurations to be handled differently. For ease of mgmt, we would opt to only forsee the config being handled by the MC. Also the corporate traffic needs to be tunneled and we would need to modify it to handle that to iap-vpn, and thus make it more complex for the customer.

Original Message:
Sent: Nov 22, 2023 09:36 AM
From: chulcher
Subject: AOS 8.10 bridge modes captive portal

Why are you wanting to use bridge mode and captive portal?  Why wouldn't you run the APs in Instant mode where bridging is a native function rather than a secondary consideration?

Hello,

According to 8.7 features Captive Portal Enhancements (arubanetworks.com) an external CP should now be possible with bridged mode campus AP's. However this is not working for my setup (bridged to a tagged vlan), no CP redirect happening (DNS lookup works). Not much info besides 2 config changes (full path and the AAA profile change). I'm assuming this will only work on the native bridged VLAN? I can't really test the native VLAN to validate as this has no external access (DNS).

Can someone give me the limitations on this?

Thanks!