Wired Intelligent Edge

Hey,

I'm trying to do a captive portal failthrough for clients at our branch sites. Running AOS 10.3.1.3 on the gateway and 16.11 on the 2930m switch, managed via UI group on Central. When I give it a VLAN, session timeout and nas-filter-rule everything is fine and it authenticates.

The ACL I'm giving it is allow all to clearpass (where the captive portal lives), DHCP, and DHS. The VLAN is a bridged VLAN, so it goes in the underlay. On the BGW, I have an full-tunnel PBR associated with that VLAN so all traffic routes into the overlay. I've take some debugs when I add the captive portal attribute which is the following: Radius:Hewlett-Packard-Enterprise:HPE-Captive-Portal-URL = <captive portal URL https://... in clearpass>

Everything works until I send that RADIUS attribute back as well and then I get this error:

0002:23:29:43.88 MAC  eDrvPoll:Port: 3 MAC: 3448ed-47bfee rejected during demux,
   known unauth client.
0002:23:29:42.88 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee client authentication
   failed, login retry count: 1 >= max-retries: 0, no unauth-vid configured,
   entering quiet-period: 60 seconds.
0002:23:29:42.88 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee client rejected,
   session: 271, invalid attributes.
0002:23:29:42.88 MAC  mWebAuth:Port 3, MAC 3448ed-47bfee: Captive Portal
   attribute validation error.
0002:23:29:42.87 RAD  tRadiusR:Removing RADIUS REQUEST id: 247 from queue.
0002:23:29:42.87 RAD  tRadiusR:ACCESS ACCEPT id: 247 from 10.146.22.12 received.
0002:23:29:42.86 MAC  eDrvPoll:Port: 3 MAC: 3448ed-47bfee rejected during demux,
   known unauth client.
0002:23:29:42.83 RAD  mRadiusCtrl:ACCESS REQUEST id: 247 to 10.146.22.12
   session: 271, access method: MAC-AUTH, NAS-identifier: 28301-sw-01.
0002:23:29:42.83 RAD  mRadiusCtrl:ACCESS REQUEST id: 247 to 10.146.22.12
   session: 271, access method: MAC-AUTH, User-Name: 3448ed47bfee,
   Calling-Station-Id: 3448ed-47bfee, NAS-Port-Id: 3, NAS-IP-Address:
   10.136.20.130.
0002:23:29:42.83 RAD  mRadiusCtrl:Received RADIUS MSG: DATA, session: 271.
0002:23:29:42.83 RAD  mRadiusCtrl:Received RADIUS MSG: AUTH REQUEST, session:
   271, access method: MAC-AUTH.
0002:23:29:42.83 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee RADIUS CHAP
   authentication started, session: 271.
0002:23:29:42.83 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee new client detected on
   vid: 1.
0002:23:29:42.83 AUOR  mWebAuth:Auth Order: Port 3: Client status updated for
   client: 3448ed-47bfee, auth-method: 1 , auth-state: 1 .
0002:23:29:42.83 AUOR  mWebAuth:Auth Order: Port 3:Added auth order client:
   3448ed-47bfee.
0002:23:29:42.83 AUOR  mWebAuth:Port: 3 MAC: 3448ed-47bfee Auth Order : 802.1x
   is not configured for port.
0002:23:29:42.59 MAC  mWebAuth:Port: 3 now being monitored for mac-based
   authentication.
0002:23:29:39.59 MAC  mWebAuth:Port: 3 now off-line.
0002:23:29:38.30 MAC  mWebAuth:Port: 3 now being monitored for mac-based
   authentication.

# show port-access clients  3 D

 Port Access Client Status Detail

  Client Base Details :
   Port            : 3                     Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 4 seconds
   Client Name     : 3448ed47bfee          Session Timeout     : 0 seconds
   MAC Address     : 3448ed-47bfee
   IP              : n/a                                    

  Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps       : Not Set
   Untagged VLAN   : Not Set               Out Limit Kbps      : Not Set
   Tagged VLANs    : No Tagged VLANs
   Port Mode       : 1000FDx
   RADIUS ACL List : No Radius ACL List
   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled

The attributes are being sent back + captive portal and now there's no ACL and no VLAN?

Where am I going wrong here?

Hi, can you share how are the ACLs and the role are configured?

Hey,

I'm trying to do a captive portal failthrough for clients at our branch sites. Running AOS 10.3.1.3 on the gateway and 16.11 on the 2930m switch, managed via UI group on Central. When I give it a VLAN, session timeout and nas-filter-rule everything is fine and it authenticates.

The ACL I'm giving it is allow all to clearpass (where the captive portal lives), DHCP, and DHS. The VLAN is a bridged VLAN, so it goes in the underlay. On the BGW, I have an full-tunnel PBR associated with that VLAN so all traffic routes into the overlay. I've take some debugs when I add the captive portal attribute which is the following: Radius:Hewlett-Packard-Enterprise:HPE-Captive-Portal-URL = <captive portal URL https://... in clearpass>

Everything works until I send that RADIUS attribute back as well and then I get this error:

0002:23:29:43.88 MAC  eDrvPoll:Port: 3 MAC: 3448ed-47bfee rejected during demux,
   known unauth client.
0002:23:29:42.88 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee client authentication
   failed, login retry count: 1 >= max-retries: 0, no unauth-vid configured,
   entering quiet-period: 60 seconds.
0002:23:29:42.88 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee client rejected,
   session: 271, invalid attributes.
0002:23:29:42.88 MAC  mWebAuth:Port 3, MAC 3448ed-47bfee: Captive Portal
   attribute validation error.
0002:23:29:42.87 RAD  tRadiusR:Removing RADIUS REQUEST id: 247 from queue.
0002:23:29:42.87 RAD  tRadiusR:ACCESS ACCEPT id: 247 from 10.146.22.12 received.
0002:23:29:42.86 MAC  eDrvPoll:Port: 3 MAC: 3448ed-47bfee rejected during demux,
   known unauth client.
0002:23:29:42.83 RAD  mRadiusCtrl:ACCESS REQUEST id: 247 to 10.146.22.12
   session: 271, access method: MAC-AUTH, NAS-identifier: 28301-sw-01.
0002:23:29:42.83 RAD  mRadiusCtrl:ACCESS REQUEST id: 247 to 10.146.22.12
   session: 271, access method: MAC-AUTH, User-Name: 3448ed47bfee,
   Calling-Station-Id: 3448ed-47bfee, NAS-Port-Id: 3, NAS-IP-Address:
   10.136.20.130.
0002:23:29:42.83 RAD  mRadiusCtrl:Received RADIUS MSG: DATA, session: 271.
0002:23:29:42.83 RAD  mRadiusCtrl:Received RADIUS MSG: AUTH REQUEST, session:
   271, access method: MAC-AUTH.
0002:23:29:42.83 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee RADIUS CHAP
   authentication started, session: 271.
0002:23:29:42.83 MAC  mWebAuth:Port: 3 MAC: 3448ed-47bfee new client detected on
   vid: 1.
0002:23:29:42.83 AUOR  mWebAuth:Auth Order: Port 3: Client status updated for
   client: 3448ed-47bfee, auth-method: 1 , auth-state: 1 .
0002:23:29:42.83 AUOR  mWebAuth:Auth Order: Port 3:Added auth order client:
   3448ed-47bfee.
0002:23:29:42.83 AUOR  mWebAuth:Port: 3 MAC: 3448ed-47bfee Auth Order : 802.1x
   is not configured for port.
0002:23:29:42.59 MAC  mWebAuth:Port: 3 now being monitored for mac-based
   authentication.
0002:23:29:39.59 MAC  mWebAuth:Port: 3 now off-line.
0002:23:29:38.30 MAC  mWebAuth:Port: 3 now being monitored for mac-based
   authentication.

# show port-access clients  3 D

 Port Access Client Status Detail

  Client Base Details :
   Port            : 3                     Authentication Type : mac-based
   Client Status   : rejected no vlan      Session Time        : 4 seconds
   Client Name     : 3448ed47bfee          Session Timeout     : 0 seconds
   MAC Address     : 3448ed-47bfee
   IP              : n/a                                    

  Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps       : Not Set
   Untagged VLAN   : Not Set               Out Limit Kbps      : Not Set
   Tagged VLANs    : No Tagged VLANs
   Port Mode       : 1000FDx
   RADIUS ACL List : No Radius ACL List
   Auth Order      : Not Set
   Auth Priority   : Not Set
   LMA Fallback    : Disabled

The attributes are being sent back + captive portal and now there's no ACL and no VLAN?

Where am I going wrong here?