Controllerless Networks

I have just put my first AP303 into service and it is also my first Instant 8.x AP.

The VC/AP is fully configured by Airwave and behaving 99% as expected except for captive portal which does redirect to captiveportal-login.mydomain.com but presents an error on the client browser saying it cannot resolve the name: "captiveportal-login.mydomain.com's server IP address could not be found". This has been tested on various device types.

EDIT: This is all using Internal Captive Portal

All APs in the network are manage by Airwave using IGC.

The AP303 is a lone AP at a new site, so it is the VC. The new Airwave group was configured by cloning a known-good group using 6.x and migrating the template to the correct version to support 8.x. Firmware version on the VC is 8.3.0.6.

I have confirmed that Airwave has assigned the customer's correct wildcard cert (not default cert) to the AP and confirmed that the cert is present on the AP using 'show cert all'

The SSID config, roles, policies etc. are all the same as other Airwave Groups which use 6.x and they are working just fine.

My understanding is that the AP will intercept any request to this url and it does not need to be configured in any DNS server, and again this is working at other sites in the same org without special DNS records.

Any ideas?

SSH into the Instant AP and then type "show cert all" to ensure that your certificate is indeed on the Instant AP:

https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/show_cert.htm

EDIT":  You already did that.

Can you connect a client to that AP and attempt to ping that fqdn and see if it resolves?

Yes it is there. I have also checked the system clock to ensure it is within cert validity period. 

site4-AP401# show cert all

Default Server Certificate:
Version       :3
Serial Number :B0:AF:C2:6A:09:93:85:18
Issuer        :/C=US/ST=California/O=Aruba Networks/OU=Instant/CN=securelogin.arubanetworks.com
Subject       :/C=US/ST=California/L=Sunnyvale/O=Aruba Networks/OU=Instant/CN=securelogin.arubanetworks.com
Issued On     :Sep  9 04:58:42 2016 GMT
Expires On    :Sep  8 04:58:42 2020 GMT
Signed Using  :SHA256-RSA
RSA Key size  :2048 bits

Current CP Server Certificate:
Version       :3
Serial Number :65:60:2B:8B:0C:54:xx:yy:aa:bb:B4:8E:E8:93:41:CB
Issuer        :/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
Subject       :/CN=*.mydomain.com
Issued On     :Aug  1 00:00:00 2016 GMT
Expires On    :Aug 31 23:59:59 2019 GMT
Signed Using  :SHA256-RSA
RSA Key size  :2048 bits

Version       :3
Serial Number :02:aa:71
Issuer        :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject       :/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
Issued On     :Dec 11 23:45:51 2013 GMT
Expires On    :May 20 23:45:51 2022 GMT
Signed Using  :SHA256-RSA
RSA Key size  :2048 bits

Ping to the domain name resolves to 172.31.98.1 which is not one of my addresses, and the ping fails. It seems to be some kind of default Aruba address.

The clients are getting DHCP from elsewhere in the network, not from the IAP.

Have your client try to http to 172.31.98.1

@cjoseph you are onto something...

Browsing to 172.31.98.1 immediately directs the browser to the FQDN and loads the page (In Chrome there is an error for "Symantec Legacy Cert" but I don't think that is related to this issue as the same Symantec Legacy Cert is in use at other sites, and the cert error does not appear in IE11)

Other info which may or may not be relevant

In both Chrome and IE browsing to the FQDN  https://captiveportal-login.mydomain.com directly results in a timeout.

The FQDN redirected to by 172.31.98.1 loads port 443 https://captiveportal-login.mydomain.com/swarm.cgi?...etc whereas the named browse seems to be automatically redirecting to FQDN:4343 before eventually timing out.

Finally, if I manually browse to https://captiveportal-login.mydomain.com/swarm.cgi?opcode=cp_generate it does indeed load the internal captive portal for me.

As an aside, the logo for the captive portal is not displaying