Hi All
I am trying to setup split tunnel captive portal and having some problems.
The clients should receive an IP on the guest VLAN present on the remote site and be locked down from the PreAuth user role, then once authenticated via the captive portal, allowed to browse the internet via the PostAuth user role with the same IP.
The roles are setup as per the documentation - the PreAuth role has logon-control & captive portal configured.
The APs are 105 RAPs.
The VLAN is defined on the controller, but NOT physically connected or configured with an IP as traffic should not leave via the controller, only via the AP.
The VAP is configured to split tunnel and configured with the internet VLAN.
The VLAN is definetly configured correctly on the switches/routers as the same VLAN in a bridge mode config works correctly.
This VLAN is configured to allow DHCP traffic to our internal DHCP server.
The clients will attempt to connect but cannot get an IP - after enabling DHCP debugging I can see only DHCP discover entries. It will shows as 'connected' (XP laptop).
The logs show the correct PreAuth role assigned.
Show ACL Hits shows nothing against the policy in the role.
If i static the client, it will appear in show user-table with the correct role and VLAN.
I cannot ping the default gateway NOR trigger the destination NAT to force to the captive portal via browsing to a web page via name or IP.
I have tried adjusting the PreAuth role to have only the allow all policy with no change.
Logs seem to show the following without a static configured:
Sep 24 10:00:04 authmgr[1688]: <124091> <DBUG> |authmgr| station_check_license_limits: mac 4c:0f:6e:1e:21:17 encr-algo:1.
Sep 24 10:00:04 authmgr[1688]: <124093> <DBUG> |authmgr| Called mac_station_new() for mac 4c:0f:6e:1e:21:17.
Sep 24 10:00:04 authmgr[1688]: <124103> <DBUG> |authmgr| Setting user 4c:0f:6e:1e:21:17 aaa profile to Guest_AAA_Profile, reason: ncfg_get_wireless_aaa_prof.
Sep 24 10:00:04 authmgr[1688]: <124103> <DBUG> |authmgr| Setting user 4c:0f:6e:1e:21:17 aaa profile to Guest_AAA_Profile, reason: ncfg_set_aaa_profile_defaults.
Sep 24 10:00:04 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x0, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:00:04 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x0, mac=4c:0f:6e:1e:21:17, event=4.
Sep 24 10:00:04 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Sep 24 10:00:04 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=4, name=, role=Guest_PreAuth, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Sep 24 10:00:04 authmgr[1688]: <522035> <INFO> |authmgr| MAC=4c:0f:6e:1e:21:17 Station UP: BSSID=d8:c7:c8:23:c1:05 ESSID=Guest VLAN=77 AP-name=headoffice-002
Sep 24 10:00:04 authmgr[1688]: <522077> <DBUG> |authmgr| MAC=4c:0f:6e:1e:21:17 ingress 0x0x0 (vlan 0), u_encr 1, m_encr 1, slotport 0x0x2040 , type: remote, FW mode: 3, AP IP: 1.1.2.111 mdie 0 ft_complete 0
Sep 24 10:00:04 authmgr[1688]: <522242> <DBUG> |authmgr| MAC=4c:0f:6e:1e:21:17 Station Created Update MMS: BSSID=d8:c7:c8:23:c1:05 ESSID=Guest VLAN=77 AP-name=headoffice-002
Sep 24 10:00:04 dhcpdwrap[1727]: <202534> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan77: DISCOVER 4c:0f:6e:1e:21:17 Options 74:01 3d:014c0f6e1e2117 0c:48502d333039313530 3c:4d53465420352e30 37:010f03062c2e2f1f21f77b 2b:dc00
Sep 24 10:00:04 dhcpdwrap[1727]: <202541> <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1003e vlan 77 egress 0x5c src mac 4c:0f:6e:1e:21:17
Sep 24 10:00:04 stm[1702]: <501095> <NOTI> |stm| Assoc request @ 10:00:04.522016: 4c:0f:6e:1e:21:17 (SN 3872): AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04 stm[1702]: <501100> <NOTI> |stm| Assoc success @ 10:00:04.525881: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04 stm[695]: <501093> <NOTI> |AP headoffice-002@1.1.2.111 stm| Auth success: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04 stm[695]: <501095> <NOTI> |AP headoffice-002@1.1.2.111 stm| Assoc request @ 10:00:04.518774: 4c:0f:6e:1e:21:17 (SN 3872): AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04 stm[695]: <501100> <NOTI> |AP headoffice-002@1.1.2.111 stm| Assoc success @ 10:00:04.520516: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002
Sep 24 10:00:04 stm[695]: <501109> <NOTI> |AP headoffice-002@1.1.2.111 stm| Auth request: 4c:0f:6e:1e:21:17: AP 1.1.2.111-d8:c7:c8:23:c1:05-headoffice-002 auth_alg 0
Then I set a static:
Sep 24 10:02:27 authmgr[1688]: <124004> <DBUG> |authmgr| sta_add_l3: mac 4c:0f:6e:1e:21:17 ip x.x.x.x
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=1.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=1.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=1.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27 authmgr[1688]: <124104> <DBUG> |authmgr| ifmap: user=0x0x10ac1f3c, ipuser=0x0x10b4de0c, mac=4c:0f:6e:1e:21:17, event=3.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=1, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=1, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=1, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=0.
Sep 24 10:02:27 authmgr[1688]: <124105> <DBUG> |authmgr| MM: mac=4c:0f:6e:1e:21:17, state=3, name=, role=Guest_PreAuth, dev_type=Win XP, ipv4=x.x.x.x, ipv6=0.0.0.0, new_rec=1.
Sep 24 10:02:27 authmgr[1688]: <124148> <DBUG> |authmgr| Create ipuser x.x.x.x for user 4c:0f:6e:1e:21:17.
Sep 24 10:02:27 authmgr[1688]: <522006> <INFO> |authmgr| MAC=4c:0f:6e:1e:21:17 IP=x.x.x.x User entry added: reason=Auth Request
Sep 24 10:02:27 authmgr[1688]: <522049> <INFO> |authmgr| MAC=4c:0f:6e:1e:21:17,IP=0.0.0.0 User role updated, existing Role=Guest_PreAuth/none, new Role=Guest_PreAuth/Guest_PreAuth, reason=First IP user created
Sep 24 10:02:27 authmgr[1688]: <522049> <INFO> |authmgr| MAC=4c:0f:6e:1e:21:17,IP=x.x.x.x User role updated, existing Role=Guest_PreAuth/Guest_PreAuth, new Role=Guest_PreAuth/Guest_PreAuth, reason=User not authenticated for inheriting attributes
Sep 24 10:02:27 authmgr[1688]: <522049> <INFO> |authmgr| MAC=4c:0f:6e:1e:21:17,IP=x.x.x.x User role updated, existing Role=Guest_PreAuth/Guest_PreAuth, new Role=Guest_PreAuth/Guest_PreAuth, reason=User not authenticated for inheriting attributes
Sep 24 10:02:27 authmgr[1688]: <522049> <INFO> |authmgr| MAC=4c:0f:6e:1e:21:17,IP=x.x.x.x User role updated, existing Role=Guest_PreAuth/Guest_PreAuth, new Role=Guest_PreAuth/Guest_PreAuth, reason=User not authenticated for inheriting attributes
Sep 24 10:02:27 authmgr[1688]: <522096> <DBUG> |authmgr| 4c:0f:6e:1e:21:17: Sending STM new Role ACL : 64, and Vlan info: 77, action : 18, AP IP: 1.1.2.111, flags : 0
Sep 24 10:02:27 authmgr[1688]: <522096> <DBUG> |authmgr| 4c:0f:6e:1e:21:17: Sending STM new Role ACL : 64, and Vlan info: 77, action : 18, AP IP: 1.1.2.111, flags : 0
Sep 24 10:02:27 authmgr[1688]: <522096> <DBUG> |authmgr| 4c:0f:6e:1e:21:17: Sending STM new Role ACL : 64, and Vlan info: 77, action : 18, AP IP: 1.1.2.111, flags : 0
One of the messages I notice is "User not authenticated for inheriting attributes" - from googling this it seems to reference MAC authentication which we are not using.
The VLAN has NO connectivity to the controller, but I understand this should not be needed as the destination NAT should be able to route the traffic to the captive portal page.
Any help would be much appreciated!
Cheers
Steve