Security

Dear Experts,

my controller is found at site A, site B is a remote site connected via a Citrix SD-WAN, site B has 3 VLAN 300, 310, 320, all these VLAN have DHCP that a FortiGate Firewall handle. I have 2 VAP at site B, normal browsing in bridge mode and guest in tunnel mode, I have IP configured on the controller interface for VLAN 300 192.168.30.10 when I connect to the guest SSID, im not able to get IP nor the captive portal is showing up, I had tried to configure a DHCP server manual on the controller for the guest, i able to get IP but im not able to ping the default gateway which is 192.168.30.1 nor 8.8.8.8, the VLAN 300 only exist at site B.can you please help me resolve this issue? 

What is the pre-authentication role for captive portal users? 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

guest logon, when I set it to another VLAN that is found at SITE A it works, but when I set it on VLAN SITE B, it doesn't work.

Is the forwarding mode tunnel for the VAP that the specific VLAN is mapped to?

Note: Captive Portal does not work in bridge mode

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Tunnel mode, I have SITE B VLAN trunk on the switch port 300,310,320.

In the scenario where you do not get an IP address, what do the logs indicate? 

" Show log all | include dhcpd "

In the scenario that you do get an IP address.

what does " show user ip <IP of Client>  & show user-table | include <IP of Client>"  return?

Where is the captive portal hosted? Is is it an Internal Captive Portal or an External Captive Portal?

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

(Arubamaster) [mynode] (config) # show user-table

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
192.168.98.125 bc:f6:85:04:b1:67 logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.96.76 f0:7d:68:10:44:31 logon 00:00:04 0/0/4 Wired default tunnel WIRED
52.112.194.22 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
52.114.158.50 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
172.16.4.247 00:09:0f:09:00:12 logon 00:00:07 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.188 9c:d6:43:00:0d:2a logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.96.25 78:e7:d1:f5:ee:54 logon 00:00:01 0/0/4 Wired default tunnel WIRED
52.98.18.2 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.204 14:4f:8a:49:3a:cc logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.106.4 20:4c:03:03:6a:48 logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.96.233 b4:ae:2b:da:44:4f logon 00:00:01 NW-A-15 Wireless Corporate Warehouse/7c:57:3c:38:f3:91/a-VHT Corporate Warehouse_aaa_prof tunnel Win 10 WIRELESS
192.168.96.211 00:24:e8:ea:e7:8f logon 00:00:06 0/0/4 Wired default tunnel WIRED
8.8.4.4 00:09:0f:09:00:12 logon 00:00:04 0/0/4 Wired default tunnel Win 10 WIRED
185.63.144.5 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.125 0c:e0:dc:f7:61:0b logon 00:00:00 0/0/4 Wired default tunnel WIRED
159.138.85.248 00:09:0f:09:00:12 logon 00:00:03 0/0/4 Wired default tunnel Win 10 WIRED
52.109.120.17 00:09:0f:09:00:12 logon 00:00:00 0/0/4 Wired default tunnel Win 10 WIRED
52.30.188.175 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.42 00:0d:e0:92:01:f5 logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.98.83 00:1f:1f:bf:ff:bd logon 00:00:06 0/0/4 Wired default tunnel WIRED
13.107.4.52 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
104.244.42.195 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.181 b8:ac:6f:37:59:aa logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.98.35 08:00:37:ff:8f:d3 logon 00:00:05 0/0/4 Wired default tunnel WIRED
52.86.38.4 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
142.0.160.53 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.216 1c:1b:b5:5a:8b:65 logon 00:00:02 OW-B-16 Wireless Corporate Warehouse/7c:57:3c:3b:1f:d1/a-VHT Corporate Warehouse_aaa_prof tunnel Win 10 WIRELESS
192.168.96.181 00:18:8b:90:9a:4c logon 00:00:05 0/0/4 Wired default tunnel WIRED
52.114.75.88 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
188.172.221.69 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.30.23 00:09:0f:09:00:12 logon 00:00:07 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.69 9c:d6:43:00:0d:2a logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.96.218 ac:72:89:ce:eb:40 logon 00:00:06 0/0/4 Wired default tunnel WIRED
52.114.132.21 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
198.11.136.52 00:09:0f:09:00:12 logon 00:00:03 0/0/4 Wired default tunnel Win 10 WIRED
192.168.103.69 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.143 1c:af:f7:64:dd:4b logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.96.132 c8:cb:b8:06:8c:84 logon 00:00:01 0/0/4 Wired default tunnel WIRED
208.74.205.195 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.69 bc:f6:85:04:b0:fa logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.96.116 f4:39:09:4c:f6:ea logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.98.144 94:b0:1f:40:8a:a1 logon 00:00:00 0/0/4 Wired default tunnel WIRED
64.233.184.157 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
104.120.68.126 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
104.17.209.240 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
104.75.202.18 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.197 20:16:b9:f2:5b:a2 logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.96.33 00:0d:e0:92:01:0a logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.96.20 00:15:5d:83:13:01 logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.96.251 d4:be:d9:95:01:e3 logon 00:00:05 0/0/4 Wired default tunnel WIRED

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
173.194.202.188 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
104.244.42.197 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
159.138.91.5 00:09:0f:09:00:12 logon 00:00:00 0/0/4 Wired default tunnel Win 10 WIRED
52.109.124.1 00:09:0f:09:00:12 logon 00:00:07 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.123 48:c7:96:2e:26:bf logon 00:00:07 0/0/4 Wired default tunnel WIRED
192.168.96.177 00:1a:a0:24:29:24 logon 00:00:01 0/0/4 Wired default tunnel WIRED
216.58.223.99 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.100 9c:d6:43:00:0c:f7 logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.98.20 70:4c:a5:14:8b:2e logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.96.240 34:68:95:03:7f:0d logon 00:00:07 0/0/4 Wired default tunnel WIRED
52.156.204.185 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
192.168.108.37 84:98:66:4a:45:2f Logistics Guest_cppm_prof 00:01:51 OW-A-13 Wireless Logistics Guest/7c:57:3c:3b:1d:e2/g-HT Logistics Guest_aaa_prof tunnel Android WIRELESS
52.114.158.91 00:09:0f:09:00:12 logon 00:00:00 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.215 9c:d6:43:00:09:4a logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.96.112 7c:2a:31:00:7e:e0 logon 00:00:04 0/0/4 Wired default tunnel WIRED
169.254.103.90 90:4c:e5:3b:71:8c Unity Guest_cppm_prof 00:00:56 JF-O-1 Wireless Unity Guest/7c:57:3c:39:07:61/g Unity Guest_aaa_prof tunnel Win 7 WIRELESS
192.168.96.111 10:62:e5:13:a9:ca logon 00:00:01 0/0/4 Wired default tunnel WIRED
52.114.77.39 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.165 00:25:64:a8:6d:b1 logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.96.215 f4:39:09:28:1d:50 logon 00:00:05 0/0/4 Wired default tunnel WIRED
192.168.96.242 d4:0b:1a:37:23:dc logon 00:00:02 OW-B-16 Wireless Corporate Warehouse/7c:57:3c:3b:1f:c1/g-HT Corporate Warehouse_aaa_prof tunnel Android WIRELESS
192.168.96.184 68:94:23:5e:e3:12 logon 00:00:07 0/0/4 Wired default tunnel Win 7 WIRED
104.120.92.93 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.87 b8:ac:6f:1a:21:2d logon 00:00:04 0/0/4 Wired default tunnel WIRED
192.168.96.167 a0:63:91:a5:43:f1 logon 00:00:03 0/0/4 Wired default tunnel WIRED
192.168.96.72 c4:a8:1d:80:a1:49 logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.96.230 4c:34:88:1e:7d:f5 logon 00:00:01 0/0/4 Wired default tunnel WIRED
52.98.18.18 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
54.169.38.12 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.137 f4:39:09:26:c3:91 logon 00:00:02 0/0/4 Wired default tunnel WIRED
40.67.254.36 00:09:0f:09:00:12 logon 00:00:00 0/0/4 Wired default tunnel Win 10 WIRED
40.90.137.124 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.150 dc:f7:56:47:6b:3c logon 00:00:03 0/0/4 Wired default tunnel Linux WIRED
104.122.101.252 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.72 00:1f:1f:c0:00:08 logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.98.167 1c:1b:b5:77:21:8f logon 00:00:07 0/0/4 Wired default tunnel WIRED
52.98.18.50 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
23.57.208.210 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.225 e4:e7:49:33:7d:05 logon 00:00:01 0/0/4 Wired default tunnel WIRED
216.58.223.100 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.189 78:7b:8a:84:65:36 logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.97.196 00:25:64:a8:6c:5e logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.98.104 20:16:b9:71:f2:82 logon 00:00:03 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.34 00:0d:e0:ff:ff:ff logon 00:00:02 0/0/4 Wired default tunnel WIRED
188.172.217.196 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
199.15.215.178 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.24 d0:67:e5:26:a2:fd logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.96.232 48:f1:7f:4c:00:8b logon 00:00:02 NW-A-15 Wireless Corporate Warehouse/7c:57:3c:38:f3:91/a-VHT Corporate Warehouse_aaa_prof tunnel Win 10 WIRELESS
192.168.108.34 48:c7:96:12:4e:cd Logistics Guest_cppm_prof 00:00:41 NW-A-16 Wireless Logistics Guest/7c:57:3c:3a:ea:72/a-HT Logistics Guest_aaa_prof tunnel Linux WIRELESS
52.112.194.23 00:09:0f:09:00:12 logon 00:00:05 0/0/4 Wired default tunnel Win 10 WIRED

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
216.58.223.74 00:09:0f:09:00:12 logon 00:00:04 0/0/4 Wired default tunnel Win 10 WIRED
54.236.95.188 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.147 78:e4:00:12:37:c6 logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.98.182 f4:39:09:28:1d:79 logon 00:00:02 0/0/4 Wired default tunnel WIRED
52.178.94.2 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
23.23.103.117 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
143.204.19.250 00:09:0f:09:00:12 logon 00:00:05 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.245 d0:d7:83:c1:43:af logon 00:00:07 NW-A-15 Wireless Corporate Warehouse/7c:57:3c:38:f3:81/g-HT Corporate Warehouse_aaa_prof tunnel Linux WIRELESS
192.168.96.32 08:00:37:fe:f9:07 logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.96.207 00:21:9b:70:1f:75 logon 00:00:05 0/0/4 Wired default tunnel WIRED
99.80.113.57 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.34 00:26:5a:83:7b:15 logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.98.126 f8:e9:03:02:75:76 logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.96.154 9c:d6:43:00:0d:fe logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.103.32 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
52.109.76.31 00:09:0f:09:00:12 logon 00:00:07 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.160 f0:7d:68:10:44:31 logon 00:00:00 0/0/4 Wired default tunnel WIRED
52.142.84.61 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
3.219.192.6 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
54.204.214.136 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.106 bc:85:56:e6:95:a2 logon 00:00:04 0/0/4 Wired default tunnel WIRED
192.168.30.220 90:4c:e5:3b:71:8c Unity Guest_cppm_prof 00:00:56 JF-O-1 Wireless Unity Guest/7c:57:3c:39:07:61/g Unity Guest_aaa_prof tunnel Win 7 WIRELESS
185.60.219.35 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
52.114.74.43 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.154 9c:2a:70:69:0a:63 logon 00:00:05 0/0/4 Wired default tunnel WIRED
192.168.96.171 f8:e9:03:02:76:14 logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.97.217 d4:ae:52:ae:ec:68 logon 00:00:02 0/0/4 Wired default tunnel WIRED
192.168.98.122 ec:1f:72:b0:6c:0f logon 00:00:07 0/0/4 Wired default tunnel WIRED
192.168.103.36 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.113 a0:51:0b:9b:5d:a2 logon 00:00:02 OW-C-13 Wireless Corporate Warehouse/7c:57:3c:3b:54:a1/g-HT Corporate Warehouse_aaa_prof tunnel Win 10 WIRELESS
192.168.98.64 00:09:0f:09:00:12 logon 00:00:00 0/0/4 Wired default tunnel Win 10 WIRED
185.60.219.9 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.103.30 00:09:0f:09:00:12 logon 00:00:07 0/0/4 Wired default tunnel Win 10 WIRED
192.168.97.28 00:26:5a:83:7a:4a logon 00:00:00 0/0/4 Wired default tunnel WIRED
192.168.96.129 bc:30:5b:b2:93:ed logon 00:00:01 0/0/4 Wired default tunnel WIRED
54.165.202.16 00:09:0f:09:00:12 logon 00:00:00 0/0/4 Wired default tunnel Win 10 WIRED
52.109.120.2 00:09:0f:09:00:12 logon 00:00:03 0/0/4 Wired default tunnel Win 10 WIRED
8.8.8.8 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
151.101.172.157 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
15.164.13.201 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.108.1 00:09:0f:09:00:12 logon 00:00:04 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.1 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
52.114.74.75 00:09:0f:09:00:12 logon 00:00:04 0/0/4 Wired default tunnel Win 10 WIRED
142.0.160.57 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.107.10 a8:87:b3:ab:55:51 Radio_cppm_prof 00:01:01 OW-C-03 Wireless Radio/7c:57:3c:3a:2f:04/g-HT Radio_aaa_prof tunnel Linux WIRELESS
192.168.98.113 c4:e9:84:b1:a1:6c logon 00:00:00 0/0/4 Wired default tunnel WIRED
52.221.30.100 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.176 80:26:89:72:e5:f1 logon 00:00:05 0/0/4 Wired default tunnel WIRED
192.168.98.30 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
40.126.1.135 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
192.168.97.151 e4:b3:18:87:32:0f logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.98.1 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.136 c4:a8:1d:80:a1:49 logon 00:00:06 0/0/4 Wired default tunnel WIRED
192.168.96.66 00:1f:1f:c0:31:13 logon 00:00:01 0/0/4 Wired default tunnel WIRED
192.168.96.120 b8:ac:6f:37:34:92 logon 00:00:07 0/0/4 Wired default tunnel WIRED
74.125.140.188 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.38 48:5f:99:ae:56:1f logon 00:00:04 0/0/4 Wired default tunnel WIRED
104.24.108.122 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.98.178 f4:39:09:28:1d:69 logon 00:00:00 0/0/4 Wired default tunnel WIRED
13.107.18.11 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.166 14:ab:c5:47:56:03 logon 00:00:07 0/0/4 Wired default tunnel WIRED
192.168.97.1 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
192.168.108.28 d4:ae:05:ec:14:eb Logistics Guest_cppm_prof 00:00:45 OW-A-13 Wireless Logistics Guest/7c:57:3c:3b:1d:e2/g-HT Logistics Guest_aaa_prof tunnel Android WIRELESS
192.168.108.38 00:b3:62:52:1f:11 Logistics Guest_cppm_prof 00:00:48 OW-C-13 Wireless Logistics Guest/7c:57:3c:3b:54:b2/a-VHT Logistics Guest_aaa_prof tunnel iPhone WIRELESS
52.98.18.34 00:09:0f:09:00:12 logon 00:00:02 0/0/4 Wired default tunnel Win 10 WIRED
209.85.233.188 00:09:0f:09:00:12 logon 00:00:01 0/0/4 Wired default tunnel Win 10 WIRED
192.168.96.243 04:d6:aa:38:3a:27 logon 00:00:00 NW-A-15 Wireless Corporate Warehouse/7c:57:3c:38:f3:81/g-HT Corporate Warehouse_aaa_prof tunnel Linux WIRELESS
104.94.81.252 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED
13.107.3.128 00:09:0f:09:00:12 logon 00:00:06 0/0/4 Wired default tunnel Win 10 WIRED

User Entries: 169/169
Curr/**bleep** Alloc:375/17870 Free:353/17495 Dyn:728 AllocErr:0 FreeErr:0

Arubamaster) [mynode] (config) #show user ip "192.168.30.220"
This operation can take a while depending on number of users. Please be patient ....

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log

Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID
----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------

Name: , IP: 192.168.30.220, MAC: 90:4c:e5:3b:71:8c, Age: 00:00:58
Role: Unity Guest_cppm_prof (how: ROLE_DERIVATION_INITIAL_ROLE), ACL: 39/0
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: ROLE_DERIVATION_INITIAL_ROLE
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: g-, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 300, Assigned: 300, Current: 300 vlan-how: 1 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x105fa (tunnel 1530)
Essid: Unity Guest, Bssid: 7c:57:3c:39:07:61 AP name/group: JF-O-1/JIN FEI Phy-type: g- Forward Mode: tunnel
AP IP: 192.168.32.47
RadAcct sessionID:n/a
RadAcct Traffic In 437/55100 Out 28/6724 (0:437/0:0:0:55100,0:28/0:0:0:6724)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:Unity Guest_aaa_prof, dot1x:, mac: CP:n/a def-role:'Unity Guest_cppm_prof' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 0, RADIUS interim accounting 0
IP Born: 1570017692 (Wed Oct 2 16:01:32 2019)
Core User Born: 1570017598 (Wed Oct 2 15:59:58 2019)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
HTTP based device-id info - Index: 62, Device: Win 7
Overall device-id info - Index: 22, Device: Win 7 By: Auth-UA-Str
Max IPv4 users: 2
L3-Auth Session Timeout from RADIUS: 0
Mac-Auth Session Timeout Value from RADIUS: 0
Dot1x Session Timeout Value from RADIUS: 0
Dot1x Session Term-Action Value from RADIUS: Default
CaptivePortal Login-Page URL from RADIUS: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: N/A, dot1x auth server: N/A
Address is from DHCP: yes
ipuser_notify_action:NoAction/NoAction
Per-user-log pointer (nil) (id -1), num logs -1
RTTS disabled: rtts_throughput 19440 rtts_discard 0 rtts_reest 0 rtts_keepalive 0
User added to cluster bucket-map: No

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client, V: 802.11v BSS trans capable, P: Punctured preamble, U: HE UL Mu-mimo, O: OWE client, S: SAE client, E: Enterprise client

PHY Details: HT : High throughput; 20: 20MHz; 40: 40MHz; t: turbo-rates (256-QAM)
VHT : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
HE : High Efficiency; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
<n>ss: <n> spatial streams

Association Table
-----------------
Name bssid mac auth assoc aid l-int essid vlan-id tunnel-id phy assoc. time num assoc Flags Band steer moves (T/S) phy_cap
---- ----- --- ---- ----- --- ----- ----- ------- --------- --- ----------- --------- ----- ---------------------- -------
JF-O-1 7c:57:3c:39:07:61 90:4c:e5:3b:71:8c y y 1 10 Unity Guest 300 0x105fa g 36m:40s 1 WA 0/0 g

90:4c:e5:3b:71:8c-7c:57:3c:39:07:61 Stats
------------------------------------------
Parameter Value
--------- -----
Channel 11
Channel Frame Retry Rate(%) 0
Channel Frame Low Speed Rate(%) 0
Channel Frame Non Unicast Rate(%) 0
Channel Frame Fragmentation Rate(%) 0
Channel Frame Error Rate(%) 0
Channel Bandwidth Rate(kbps) 0
Channel Noise 96
Client Frame Retry Rate(%) 0
Client Frame Low Speed Rate(%) 0
Client Frame Non Unicast Rate(%) 0
Client Frame Fragmentation Rate(%) 0
Client Frame Receive Error Rate(%) 0
Client Bandwidth Rate(kbps) 0
Client Tx Packets 1948
Client Rx Packets 112
Client Tx Bytes 224419
Client Rx Bytes 18622
Client SNR 27
A2c_SM SeqNum, Old SeqNums 150 0
(Arubamaster) [mynode] (config) #

Is traffic to the CPPM server allowed in the initial role?

show rights " Unity Guest_cppm_prof "

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

(Arubamaster) [mynode] (config) #show rights "Unity Guest_cppm_prof"

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'Unity Guest_cppm_prof'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 39/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = Unity Guest_cppm_prof

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Unity Guest_cppm_prof session

Unity Guest_cppm_prof
---------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user controller6 svc-http captive Low 6
2 user controller svc-http dst-nat 8080 Low 4
3 user any svc-https captive Low 6
4 user any svc-http captive Low 6
5 any any svc-v6-icmp permit Low 6
6 any any svc-v6-dns permit Low 6
7 any any svc-v6-dhcp permit Low 6
8 user any svc-http dst-nat 8080 Low 4
9 user any svc-https dst-nat 8081 Low 4
10 any any svc-dns permit Low 4
11 any any svc-dhcp permit Low 4

Expired Policies (due to time constraints) = 0
(Arubamaster) [mynode] (config) #

The following ACLs may to be the issue. (Assuming this is the role the client falls into after receiving an IP)

3 user any svc-https captive Low 6
4 user any svc-http captive Low 6

There are no actions mapped to the ACLs (Permit / Deny), I only see a priority mapped to the ACLs.

Try

User captive svc-http permit 

User captive svc-https permit

I assume that " captive " is the netdestination that points to the CPPM server?

Show netdestination "captive"

Also if the initial role is guest-logon and that does not change after receiving an IP, check if the traffic to CPPM is allowed in it.

show rights guest-logon

Check to see if traffic to CPPM server is allowed in this role.

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.