Security

Hello all, first, thanks for the excellent community!

I am trying to understand the purpose of the 'CaptivePortal' Session ACL that is assigned to the 'Logon' user role. 

I understand that the CaptivePortal ACL will redirect the client to the controller for captive portal functionality. So I understand why it would be assigned to a 'CaptivePortal-Guest-Logon' user role. I however dont know why it would be assigned to the 'Logon' role when this role typically wouldnt be used for Captive Portal. 

Secondly, since it is configured, why arent all my clients being sent to the Captive Portal when they are in the AAA Initial Role? I am glad they are not and 802.1x backend does process normally and they are properly placed in the 802.1x Authentication Default Role. 

I cannot figure out why normal (non-guest) clients are not being intercepted by this ACL and redireced to the Captive Portal. My assumption is that EAP processing is taking place while in the Intial Role which bypasses these ACL's therefor EAP traffic is not subject to the redirect. 

I am just trying to get a thorough understanding of the process. There is nothing wrong here! 

Thanks in advance!

That makes sense. I was thinking all the roles were processed in order with each one over-riding the previous one and ending with the derivation rules if comfigured. I am glad I asked. Thanks for the quick reply!