Security

I have a user who is trying to access our captive portal network.  All they need to do normally is provide an email address which is unverified, then they are given the proper role to access the network.  Today for some reason this user is unable to get past our captive portal page.  They are repeatedly shown "email address is invalid" despite entering a real email address.  

They have tried their personal gmail, the corporate email they were given, random gibberish emails, and nothing works.  Rebooting the phone does not work.  We have tried with Google Chrome and Mozilla Firefox for Android.  We have tried connecting to another SSID and reconnecting to the captive portal network.

Nothing seems to solve this problem that we can easily try -- all attempts for this device to enter an email on the captive portal is denied.  Is there anything I can do to debug on our end short of opening a TAC case?

I have already enabled user-debug messages on this particular phone's mac address, but nothing is standing out.

Aug 15 00:52:05 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 78:4b:87:db:f0:67 vlan 0 derivation_type Reset VLANs for Station up index 0.
Aug 15 00:52:05 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 78:4b:87:db:f0:67 vlan 100 fwdmode 0 derivation_type Default VLAN.
Aug 15 00:52:05 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 78:4b:87:db:f0:67 vlan 100 derivation_type Default VLAN index 1.
Aug 15 00:52:05 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 78:4b:87:db:f0:67 vlan 100 fwdmode 0 derivation_type Current VLAN updated.
Aug 15 00:52:05 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 78:4b:87:db:f0:67 vlan 100 derivation_type Current VLAN updated index 2.
Aug 15 00:52:05 :522158:  <DBUG> |authmgr|  Role Derivation for user N/A-78:4b:87:db:f0:67- N/A Set AAA profile defaults.
Aug 15 00:52:05 :522142:  <DBUG> |authmgr|  Setting default role to CP-Net-guest-logon for user 78:4b:87:db:f0:67".
Aug 15 00:52:05 :522127:  <DBUG> |authmgr|  {L2} Update role from logon to CP-Net-guest-logon for IP=N/A, MAC=78:4b:87:db:f0:67.
Aug 15 00:52:05 :522049:  <INFO> |authmgr|  MAC=78:4b:87:db:f0:67,IP=N/A User role updated, existing Role=logon/none, new Role=CP-Net-guest-logon/none, reason=Set AAA profile defaults
Aug 15 00:52:05 :522246:  <DBUG> |authmgr|  Idle timeout should be driven by STM for MAC 78:4b:87:db:f0:67.
Aug 15 00:52:05 :524141:  <DBUG> |authmgr|  clr_pmkcache_ft():987: MAC:78:4b:87:db:f0:67 BSS:40:e3:d6:f3:74:31
Aug 15 00:52:05 :522287:  <DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac 78:4b:87:db:f0:67 bssid 40:e3:d6:f3:74:31 vlan 100 type 1 data-ready 0
Aug 15 00:52:05 :522254:  <DBUG> |authmgr|  VDR - mac 78:4b:87:db:f0:67 rolename CP-Net-guest-logon fwdmode 0 derivation_type Initial Role Contained vp not present.
Aug 15 00:52:05 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 78:4b:87:db:f0:67 vlan 0 derivation_type Reset Role Based VLANs index 3.
Aug 15 00:52:05 :522158:  <DBUG> |authmgr|  Role Derivation for user N/A-78:4b:87:db:f0:67- N/A  handle_sta_up_dn: setting l2 role for user attributes.
Aug 15 00:52:05 :522309:  <DBUG> |authmgr|  Deriving role from user attributes. MAC=78:4b:87:db:f0:67.
Aug 15 00:52:05 :522254:  <DBUG> |authmgr|  VDR - mac 78:4b:87:db:f0:67 rolename NULL fwdmode 0 derivation_type Matched User Rule vp present.
Aug 15 00:52:05 :524124:  <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:78:4b:87:db:f0:67, pmkid_present:False, pmkid:N/A
Aug 15 00:52:05 :522255:  <DBUG> |authmgr|  "VDR - set vlan in user for 78:4b:87:db:f0:67 vlan 100 fwdmode 0 derivation_type Current VLAN updated.
Aug 15 00:52:05 :522258:  <DBUG> |authmgr|  "VDR - Add to history of user user 78:4b:87:db:f0:67 vlan 100 derivation_type Current VLAN updated index 4.
Aug 15 00:52:05 :522260:  <DBUG> |authmgr|  "VDR - Cur VLAN updated 78:4b:87:db:f0:67 mob 0 inform 1 remote 0 wired 0 defvlan 100 exportedvlan 0 curvlan 100.
Aug 15 00:52:05 :522308:  <DBUG> |authmgr|  Device Type index derivation for 78:4b:87:db:f0:67 : dhcp (0,0,0) oui (0,0) ua (45,1,1) derived Android(1)
Aug 15 00:52:05 :522299:  <DBUG> |authmgr|  Auth GSM : DEV_ID_CACHE publish for mac 78:4b:87:db:f0:67 dev-id Android index 1
Aug 15 00:52:05 :522128:  <DBUG> |authmgr|  download-L2: acl=72/0 role=CP-Net-guest-logon, tunl=0x0x100dd, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Aug 15 00:52:05 :522050:  <INFO> |authmgr|  MAC=78:4b:87:db:f0:67,IP=N/A User data downloaded to datapath, new Role=CP-Net-guest-logon/72, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
Aug 15 00:52:05 :522242:  <DBUG> |authmgr|  MAC=78:4b:87:db:f0:67 Station Created Update MMS: BSSID=40:e3:d6:f3:74:31 ESSID=CP-Net VLAN=100 AP-name=NET-WAP-4
Aug 15 00:52:05 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xec60adb740e7cdd3 mac 78:4b:87:db:f0:67 name  role CP-Net-guest-logon devtype Android wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0
Aug 15 00:52:06 :522026:  <INFO> |authmgr|  MAC=78:4b:87:db:f0:67 IP=10.14.100.21 User miss: ingress=0x100dd, VLAN=100 flags=0x8040
Aug 15 00:52:06 :522122:  <DBUG> |authmgr|  Reset BWM contract: IP=0.0.0.0 role=CP-Net-guest-logon, contract= (0/0), type=Per role.
Aug 15 00:52:06 :522125:  <DBUG> |authmgr|  Could not create/find bandwidth-contract for user, return code (-11).
Aug 15 00:52:06 :522122:  <DBUG> |authmgr|  Reset BWM contract: IP=0.0.0.0 role=CP-Net-guest-logon, contract= (0/0), type=Per role.
Aug 15 00:52:06 :522125:  <DBUG> |authmgr|  Could not create/find bandwidth-contract for user, return code (-11).
Aug 15 00:52:06 :522006:  <INFO> |authmgr|  MAC=78:4b:87:db:f0:67 IP=10.14.100.21 User entry added: reason=Sibtye
Aug 15 00:52:06 :522270:  <DBUG> |authmgr|  During User miss marking the user 78:4b:87:db:f0:67 with ingress 0x100dd, connection-type 2 as wireless, muxtunnel = no
Aug 15 00:52:06 :522318:  <DBUG> |authmgr|  Client 78:4b:87:db:f0:67 idle timeout 300 profile global
Aug 15 00:52:06 :522128:  <DBUG> |authmgr|  download-L2: acl=72/0 role=CP-Net-guest-logon, tunl=0x0x100dd, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Aug 15 00:52:06 :522050:  <INFO> |authmgr|  MAC=78:4b:87:db:f0:67,IP=10.14.100.21 User data downloaded to datapath, new Role=CP-Net-guest-logon/72, bw Contract=0/0, reason=New user IP processing, idle-timeout=300
Aug 15 00:52:06 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0xec60adb740e7cdd3 mac 78:4b:87:db:f0:67 name  role CP-Net-guest-logon devtype Android wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0
Aug 15 00:56:21 :522296:  <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 78:4b:87:db:f0:67 age 0 deauth_reason 8
Aug 15 00:56:21 :522036:  <INFO> |authmgr|  MAC=78:4b:87:db:f0:67 Station DN: BSSID=40:e3:d6:f3:74:31 ESSID=CP-Net VLAN=100 AP-name=NET-WAP-4
Aug 15 00:56:21 :522234:  <DBUG> |authmgr|  Setting idle timer for user 78:4b:87:db:f0:67 to 300 seconds (idle timeout: 300 ageout: 0).
Aug 15 00:56:21 :522152:  <DBUG> |authmgr|  station free: bssid=40:e3:d6:f3:74:31, @=0x0x19658e4.

You should open a TAC case.  Typically just javascript on the page checks for the "validity" of an email address.

Thanks Colin.  I was hoping that would not be the case.  Oddly enough the user was able to enter a slur email address "f***@you.com" and it let them log in finally.  This is after clearing all history/cache on the phone and trying the previous emails again.

Were you able to get any answers on this issue?  I am encountering the same problem.  It's sporadic with various devices.  Sometimes you can put in a different email address and it works, other times you can try several and none ever work.

Thanks,

JOe

• Can you give examples of an email address format that is not working?
• Are you modifying the email field (and its validators)?
• What device(s) are you seeing this on?

There is actually no Javascript that verifies if an email is valid per se, just that it has a basic format ("x" won't work, but "x@x.com" will, regardless if the latter is an actual address or not).

I've used personal email addresses such as 

• myself@gmail.com (replace myself with the real email addr)
• first.last@company.com (replace first.last with my name and company with our corporate domain)
• abc@abc.com (actually this one worked for a while, but it stopped working.  I think other users began using this "abc@abc.com" addr and once it is in use in the controller's memory, you can't use it again.  I now use "cats@cats.com" and it works every time)

We are not modifying any email address field to my knowledge.  This SSID captive portal was set up using the Aruba wizard and not modified beyond the post-auth guest role after that.  The pre-auth role should not be modified at all.

To my knowledge this is occurring on an Android only so far, as no one has reported it.  Users tend to silently suffer, however, so it could be that this is a wider problem.

so what is the solution?  I  have the same issue. opened a ticket for TAC support, but am getting no where.

It turned out the problem was Google Chrome browser passing whitespace text into the input field.  I switched to Firefox and it worked flawlessly.  Chrome also does not redirect correctly when your new tab opens an https page, whereas Firefox does.

ok thanks. my issue is with android and ios phones getting the invalid email address error.