Wireless Access

Yesterday we upgraded to 8.4 and all seems to be working but captive portal for guest.  I join guest SSID and then open browser and I get redirected to the captive portal page URL and then starts going back and forth between portal URL and then adds the "cmd=login&mac=XX" and never shows the login page to enter info.  Eventually times outs.  Strange I know - URL just swaps back and forth like a refresh but no login page.

Is this an internal Captive Portal on the Controller/IAP or an External Captive Portal such as ClearPass? Are all of your certificates still valid? 

Clear Pass portal. Was looking at certs now - just installed our external one from Digicert on controller but still having issue.

David Mattox
Manager of System Operations - Information Technology Services
Academic Complex 601-974-1149
1701 North State Street, Jackson, MS 39210
[cid:145fe339-2bdb-47fb-8ca9-4315778249d5]

This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received this message by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet.

hi David

Can you confirm the permit ACLs that allow http/https from user to CPPM exist above the captive portal redirection ACLs in the users initial role ?

 

What you describe is a redirect loop, which many times indeed has to do with not allowing traffic from the client to the external captive portal through the initial/captive portal role.

 

One more thing to check is that you have different certificates on your controller, or if you have the same that the redirect to your ClearPass is not the first SAN or captiveportal-logon.yourdomain.com for a wildcard. The controller takes the first SAN or captiveportal-logon for itself, and ClearPass and controller need to have different FQDN in order to access both of them. 

We upgraded the controller to 8.4 from 6.X yesterday with Aruba's help so certs may be an issues. Just imported our wildcard, root and trusted one into controller. Did not help

David Mattox
Manager of System Operations - Information Technology Services
Academic Complex 601-974-1149
1701 North State Street, Jackson, MS 39210
[cid:145fe339-2bdb-47fb-8ca9-4315778249d5]

This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received this message by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet.

Herman - can I email you a video of what it is doing?  I am waiting on TAC but have not heard and now guest wireless is down.

I escalated ticket and TAC was able to get the portal up.  Seems an ACL did not come over during the conversion from 6.X to 8.4.  Now the issue is redirect.  We get portal login for name and email and it connects but redirect does not work.  Accoridng to TAC, if you use default cert. on controller you used securelogin.arubanetworks.com but if you use widcard cert you use captive-login.millsaps.edu.  Neither work.  Both time out but user is logged into guest SSID.  The above is found under customize self-registration after login method=controller initiated-guest browser performs HTTP form submit.

 

The URL for a wildcard certificate should be: captiveportal-login.millsaps.edu. And you can verify it on the controller with the command: "show datapath fqdn" or "show captive-portal-domains" on Instant.

 

On the wildcard, the controller will just use captiveportal-login, and www or any other subdomain should work without any issue.