Hello Victor,
thanks for the inputs.
1) I updated clearpass cert with one trusted by the client and now https warnings are gone
2) with the original order of ACLs in the guest-logon user role nothing changes - user is redirected to captive portal, enters credentials, clearpass receives it as "webauth" type, says it`s accepted but user is still showing as guest-logon on the controller and is redirected back to the captiveportal login page
-> therefore I believe the problem is with the setup of clearpass service that should return some response to controller, but the options are very limited in the webauth service type so I have no idea how to fix it. Also on the firewall I don`t see that clearpass would initiate CoA back to the controller...
3) if I change the order of ACLs in the controller, I get a certificate error (and based on the cert it`s showing it looks like I am not redirected to clearpass but to the controller) and then it just keeps looping in the browser between ".../captiveportal.php" and ".../captiveportal.php?cmd=login&mac=xxx" and I don`t even get the login prompt in the browser
ACLs are here:
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
any host 10.10.2.200 any permit
ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
any host 10.10.2.200 any permit
4) I don`t fully understand the last point about creating an alias but based on the ACLs and what I see on the client and firewall I am quite sure the client has access to the clearpass without any problem