- Associate the client to an access point.
- Find out what access point the user is associate to and SSH into that access point (important that you are on the access point the user is on).
- Try to access the square website on that client
- When it fails, on the commandline of the access point type "show datapath session". Collect that output and search for the ip address of your user. If the Instant AP is blocking that traffic, there will be a "D" or deny flag:
a036000000lBEjH-02i6000000Uhl8g# show datapath session
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined
s - media signal, m - media mon, a - rtp analysis
E - Media Deep Inspect, G - media signal
A - Application Firewall Inspect
RAP Flags: 0 - Q0, 1 - Q1, 2 - Q2, r - redirect to master, t - time based
Source IP Destination IP Prot SPort Dport Cntr Prio ToS Age Destination TAge Flags
---------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
10.153.171.216 10.153.175.162 6 9100 63237 0 0 0 0 dev20 4 YA
192.168.4.217 216.58.194.49 6 50433 443 4 0 0 6 local 2637 C
216.12.248.66 10.153.173.218 17 514 514 0 0 0 1 local 31 FRY
192.30.68.80 10.153.175.91 6 443 39142 0 0 56 6 dev32 1bd T
10.153.173.106 192.30.68.80 6 1027 443 0 6 46 2 local d28f PT