Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Mobile Guest SSID not conexion

This thread has been viewed 88 times
  • 1.  Mobile Guest SSID not conexion

    Posted Jan 19, 2023 04:51 PM
    Hello, I just had a case where one of my clients couldn't connect their phone.
    He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
    While performing a test mobile to connect SSID guests, I encountered this issue.
    I'll show you some images of my clients' setup.












  • 2.  RE: Mobile Guest SSID not conexion

    EMPLOYEE
    Posted Jan 19, 2023 05:18 PM
    are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
    is the access tracker that mentions "access denied by policy" from the MAC caching service?

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Mobile Guest SSID not conexion

    Posted Jan 20, 2023 03:37 AM
    Thanks for your reply  @ariyap

    Thank you for responding.
    Where can I look if an account's guest has a pass?
    Where can I look if the caching services access policy is deny?



  • 4.  RE: Mobile Guest SSID not conexion

    Posted Jan 20, 2023 07:23 AM
    Hi, I recommend you to check 2 things:

    1.- In the enforcement policy there is a rule for no more than 2 phones, if the person uses the same user, then a 3rd or 4th device won't be allowed

    2,. Probably not related but definitely to fix is that the https clearpass certificate has expired. If Clearpass is hosting the captive portal a lot of devices won't connect.

    I  hope this helps


  • 5.  RE: Mobile Guest SSID not conexion

    Posted Jan 23, 2023 02:32 AM
    Hi @ulises.cazares I appreciate your response.


    Concerning point 1,


    You must be referring to this, I assume:



    So i want to understand this values is not forr default , the meaning is if the user uses the same user in more two phone it will be deneged the acces , isent it ?

    Another question , how I can see the user guest account ?


    Regardin pomt 2

    why a lot off device will not cobnnect , do you mean some device are able to coonect ansd others no ? why some yes and some not


  • 6.  RE: Mobile Guest SSID not conexion

    Posted Jan 23, 2023 09:00 AM
    Hi @athan:

    1.- Yes that's the rule. You con go to the guest module and see the user here:

    ​2.- With the https certificate expired some endpoints (mobile phones and other types of client devices) won't even show the landind page. You need a valid and trusted(by the endpoints) cert installed as the https clearpass certificate. I think this is the first thing you need to resolve


    I hope this helps.


  • 7.  RE: Mobile Guest SSID not conexion

    Posted Jan 23, 2023 11:43 AM
    Hi @ulises.cazares


    I'm looking where you have mencinend, but, for instance, he has a user connected, and I see caducado in red, which I don't understand the red message

    On the other hand, with relation to point 2.


    Why are they able to connect with select users over others?


    Thanks a lot off



  • 8.  RE: Mobile Guest SSID not conexion

    Posted Jan 23, 2023 07:45 AM
    Hi athan,

    the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

    The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

    The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

    The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

    The question is whether the user gets the ClearPass landing page displayed?

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: Mobile Guest SSID not conexion

    Posted Jan 23, 2023 11:56 AM
    Hi @lord 

    I appreciate your explanation.
    I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.

    There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .









    ​​


  • 10.  RE: Mobile Guest SSID not conexion