Wireless Access

 View Only
Expand all | Collapse all

ClearPass Guest Web login -- Android issues

This thread has been viewed 32 times
  • 1.  ClearPass Guest Web login -- Android issues

    Posted Dec 03, 2024 05:01 PM

    Hi 

    We are implementing guest captive portal leveraging ClearPass web login along with mac authentication (for returning clients). works fine on IOS and Windows platform. however for android user base we are running into problems with an error "connection failed". 

    Use case is a new android user creates an account on CPPM guest platform and generates a password to connect to an "enhanced open" SSID. works fine the first time. but user steps out of the range, comes and tries to connect user sees connection failed and no captive portal is opened as well (as expected). ClearPass logs shows mac auth is successful and its receiving post-auth roles with no rejections as well. On IAP side we are seeing EAP time-out message coming from a client when it happens. 

    Please note we are unable to reproduce this with IOS, Windows and Android 13 user base. only reproduceable with new android clients in our testing . 

    Has anyone gone thru this implementation..  are there any special considerations that needs to be taken for android clients ?

    Thank you, 



    ------------------------------
    [Akshay][Vishwas]
    ------------------------------


  • 2.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 03:47 AM

    Hi Akshay,

    Android 12 users are not authenticating via guest portal in branch office. | Controllerless Networks

    go through above link and give a try and let us know it works for you.

                                                                                                 -Vijay Kumar




  • 3.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 11:22 AM

    Thanks, we ran into a similar issue at the time of implementation. we implemented changes on clearpass side to overcome issue.. t

    I have an Android 13 that works fine with the current implementation. However, the issue I am facing is with newer Android (Android 16)

     



    ------------------------------
    [Akshay][Vishwas]
    ------------------------------



  • 4.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 10:29 AM

    Have you opened a case with TAC on this?

    What client devices are experiencing this behavior?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 11:15 AM

    Yes, I have created a case with them.. 

    After troubleshooting further, the issue seems to be specific to Android with "enhanced open" turned on. the 4th packet "wpa3-key4-vm" is not making back to IAP from a client in a 4-way handshake. this is specific to Android 16, works fine with old Android 13 and All IOS devices.

    Here is "show ap debug auth-trace buffer" output

    Dec  3 17:34:41.972  owe-pmk-update *                     xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx             -  -      Grp:19 PMK:32 Succ
    Dec  3 17:34:41.976  mac-auth-req   ->                    xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx/Clearpass1  -  -      xx:xx:xx:xx:xx:xx
    Dec  3 17:34:42.040  mac-auth-success   <-                xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx/Clearpass1  -  -      success
    Dec  3 17:34:42.040  station-up *                         xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx             -  -      wpa3-owe aes-ccmp-128
    Dec  3 17:34:42.040  wpa3-key1-vm   <-                    xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx             -  95
    Dec  3 17:34:42.068  wpa3-key2-vm   ->                    xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx             -  32256
    Dec  3 17:34:42.068  wpa3-key3-vm   <-                    xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx             -  191



    ------------------------------
    [Akshay][Vishwas]
    ------------------------------



  • 6.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 11:21 AM

    Android 16 is in developer preview, any change in behavior should be brought up with that team.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 11:33 AM

    Thanks for that.. 

    One of my colleagues just tested with Android 14 as well. we are seeing same issue. Its a Samsung phone if it matters



    ------------------------------
    [Akshay][Vishwas]
    ------------------------------



  • 8.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 11:39 AM

    If that is showing the same behavior then you'll need to do an over-the-air PCAP to see if the device is actually sending the fourth packet in the four-way handshake.  If the client device isn't finishing the handshake, nothing we can do from the AP side.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 9.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 02:22 PM

    Thanks. 

    After additional testing, looks like issue is when 6G radio tuned on..  our APs broadcast all 3 radios all the time.. disabling 6G radio allows Andriod to connect fine. we are 8.10.0.14.. if it matters 



    ------------------------------
    [Akshay][Vishwas]
    ------------------------------



  • 10.  RE: ClearPass Guest Web login -- Android issues

    Posted Dec 04, 2024 03:02 PM

    Because 6 GHz requires Enhanced Open where the other bands can utilize transition mode to connect to the Open network.  Open doesn't have a four-way handshake to negotiate so nothing to fail.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------