Hi! I can ping during pre-auth, I never reach post-auth role because I can not reach CP for authentication. During pre-auth logon-control has icmp policy, so It seems correct.
I double check design. I check datapath sessions and found out the following:
1) there are session from controller to user, but not from user (172.32.0.1) to controller (172.16.0.254), is OK? somehow the user reach 8081 using the policy, there is no other way.
172.16.0.254 172.32.0.1 6 8081 19838 0 0 0 0 dev16
172.16.0.254 172.32.0.1 6 8081 19837 0 0 0 0 dev16
2) there are DNS sessions. This seems OK.
172.32.0.1 8.8.8.8 17 56763 53
3) an other strange thing. There are session from user to public IP to port 80 and 443. This I believe is not OK.
172.32.0.1 216.58.222.42 6 19850 443 0 0 0 1 dev16
172.32.0.1 216.58.222.42 6 19849 443 0 0 0 1 dev16
I attached the pre auth role I that is assigned to the user.
In the user the following is happening:
1) I connect to the SSID, get IP. Can ping public address and resolv too. The browser does not opened. Windows shows that there is Internet but when you try to browse you can't.
2) I put a http://public_fqdn in a browser and it redirect in the following way: http://<public IP of the FQDN>/?cmd=loging&mac= .... (the normal redirect)
However after some seconds the following redirect appears:
http://<public IP of the FQDN>/?cmd=redirect&arubaIp=12345
The browser is alternating between this two URL. I can not recognise the second one and can not explain that.
Any advise? I will do a deep analisys. I already capture traffic with wireshark. I will check it again.