Hi All,
I'm trying to build a 7220 cluster with captive portal guest access (8.2.2.0).
Running into a couple of weird issues which i thought i'd share in the hope others may have solved already.
The controllers in L2 cluster with VRRP enabled. Guest network is deployed as L2 (separate upstream router) and management network unreachable from guest network (no route / firewalled).
Issue #1
ip cp-redirect IP has been configured for IP address assigned to interface in user VLAN on all controllers. External captive portal solution uses "switchip" attribute in redirect URL to trigger the HTTP post back to controller for user login. This switchip is being sent as the VRRP interface address of the MD's in the cluster and not the ip cp-redirect address i'd expect to see. Result is clients attempt to post back to cluster VRRP (non reachable) and fail.
Initial fix was to remove VRRP from cluster and this solved the issue of the switch ip. Not sure if this is correct - seems buggy.
Issue # 2
External captive portal solution (purple) requires http only authentication as it posts back to IP address and not FQDN of controller. when user posts back to ip cp-redirect address the traffic get captured by the default captiveportal ACL in the pre-login role and is redirected back to login page causing a loop.
Presumably if this was FQDN that matched controller cert (i.e. when using ClearPass) then "magic" routing would capture call to FQDN and redirect to controller bypassing cp-redirect rule and allowing POST for radius to take place.
What i'm seeing is that i need ot push an ACL into the pre-auth role allowing HTTP access to the ip address specified for ip cp-redirect interface on each controller. this seems to work fine. Not sure if this is correct or will break other things.
Issue #3 - when user completes login, the logout popup window is displayed, regardless of the state of the logout popup window option in the captive portal authentication profile.
Anybody else had this issue? is this a bug?
hoping i'm not the only one thinking these things aren't right.
scott