Hey,
I'm trying to do a captive portal failthrough for clients at our branch sites. Running AOS 10.3.1.3 on the gateway and 16.11 on the 2930m switch, managed via UI group on Central. When I give it a VLAN, session timeout and nas-filter-rule everything is fine and it authenticates.
The ACL I'm giving it is allow all to clearpass (where the captive portal lives), DHCP, and DHS. The VLAN is a bridged VLAN, so it goes in the underlay. On the BGW, I have an full-tunnel PBR associated with that VLAN so all traffic routes into the overlay. I've take some debugs when I add the captive portal attribute which is the following: Radius:Hewlett-Packard-Enterprise:HPE-Captive-Portal-URL = <captive portal URL https://... in clearpass>
Everything works until I send that RADIUS attribute back as well and then I get this error:
0002:23:29:43.88 MAC eDrvPoll:Port: 3 MAC: 3448ed-47bfee rejected during demux,
known unauth client.
0002:23:29:42.88 MAC mWebAuth:Port: 3 MAC: 3448ed-47bfee client authentication
failed, login retry count: 1 >= max-retries: 0, no unauth-vid configured,
entering quiet-period: 60 seconds.
0002:23:29:42.88 MAC mWebAuth:Port: 3 MAC: 3448ed-47bfee client rejected,
session: 271, invalid attributes.
0002:23:29:42.88 MAC mWebAuth:Port 3, MAC 3448ed-47bfee: Captive Portal
attribute validation error.
0002:23:29:42.87 RAD tRadiusR:Removing RADIUS REQUEST id: 247 from queue.
0002:23:29:42.87 RAD tRadiusR:ACCESS ACCEPT id: 247 from 10.146.22.12 received.
0002:23:29:42.86 MAC eDrvPoll:Port: 3 MAC: 3448ed-47bfee rejected during demux,
known unauth client.
0002:23:29:42.83 RAD mRadiusCtrl:ACCESS REQUEST id: 247 to 10.146.22.12
session: 271, access method: MAC-AUTH, NAS-identifier: 28301-sw-01.
0002:23:29:42.83 RAD mRadiusCtrl:ACCESS REQUEST id: 247 to 10.146.22.12
session: 271, access method: MAC-AUTH, User-Name: 3448ed47bfee,
Calling-Station-Id: 3448ed-47bfee, NAS-Port-Id: 3, NAS-IP-Address:
10.136.20.130.
0002:23:29:42.83 RAD mRadiusCtrl:Received RADIUS MSG: DATA, session: 271.
0002:23:29:42.83 RAD mRadiusCtrl:Received RADIUS MSG: AUTH REQUEST, session:
271, access method: MAC-AUTH.
0002:23:29:42.83 MAC mWebAuth:Port: 3 MAC: 3448ed-47bfee RADIUS CHAP
authentication started, session: 271.
0002:23:29:42.83 MAC mWebAuth:Port: 3 MAC: 3448ed-47bfee new client detected on
vid: 1.
0002:23:29:42.83 AUOR mWebAuth:Auth Order: Port 3: Client status updated for
client: 3448ed-47bfee, auth-method: 1 , auth-state: 1 .
0002:23:29:42.83 AUOR mWebAuth:Auth Order: Port 3:Added auth order client:
3448ed-47bfee.
0002:23:29:42.83 AUOR mWebAuth:Port: 3 MAC: 3448ed-47bfee Auth Order : 802.1x
is not configured for port.
0002:23:29:42.59 MAC mWebAuth:Port: 3 now being monitored for mac-based
authentication.
0002:23:29:39.59 MAC mWebAuth:Port: 3 now off-line.
0002:23:29:38.30 MAC mWebAuth:Port: 3 now being monitored for mac-based
authentication.
# show port-access clients 3 D
Port Access Client Status Detail
Client Base Details :
Port : 3 Authentication Type : mac-based
Client Status : rejected no vlan Session Time : 4 seconds
Client Name : 3448ed47bfee Session Timeout : 0 seconds
MAC Address : 3448ed-47bfee
IP : n/a
Access Policy Details :
COS Map : Not Defined In Limit Kbps : Not Set
Untagged VLAN : Not Set Out Limit Kbps : Not Set
Tagged VLANs : No Tagged VLANs
Port Mode : 1000FDx
RADIUS ACL List : No Radius ACL List
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
The attributes are being sent back + captive portal and now there's no ACL and no VLAN?
Where am I going wrong here?