Hi All,
I have done some more (damage) digging into my current issue. Perhaps this will give someone more ideas as to what I'm doing wrong.
I placed a host on the same subnet 10.46.x.x and used a free IP-address to test connetivity from the test-laptop (172.18.46.2) connected to the guest-SSID that I'm trying to configure. I updated the firewall policy to allow traffic to the new host.
!
ip access-list session amigopodnew
user host 10.46.x.c any src-nat pool dmz-interface log
user host 10.46.x.c svc-https src-nat pool dmz-interface log
user host 10.46.x.z any src-nat pool dmz-interface log
!
Started a tcpdump on the new host (10.46.x.z) and filtered traffic to only show packets from the controller (src-nat 10.46.x.y). I can see packets recieved from the controller:
root@sto-ubuntu01:~# tcpdump -s0 -n -vvv host 10.46.x.y
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:57:31.407772 IP (tos 0x0, ttl 127, id 18317, offset 0, flags [DF], proto TCP (6), length 52)
10.46.x.y.61836 > 10.46.x.z.443: Flags [S], cksum 0xeedc (correct), seq 3007221762, win 8192, options [mss 1386,nop,wscale 8,nop,nop,sackOK], length 0
12:57:31.407815 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
However, a session is not established with the test laptop. Same result if I try to ping the host from the laptop. I went on to check that I'm able to browse the Aruba_welcome.php on the ClearPass box from the new host.
root@sto-ubuntu01:~# wget https://10.46.x.c/Aruba_welcome.php --no-check-certificate
--2013-08-22 12:13:19-- https://10.46.x.c/Aruba_welcome.php
Connecting to 10.46.x.c:443... connected.
WARNING: cannot verify 10.46.x.c's certificate, issued by `/CN=sto-pma02/O=PolicyManager':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `Aruba_welcome.php'
[ <=> ] 7,305 --.-K/s in 0s
2013-08-22 12:13:20 (35.5 MB/s) - `Aruba_welcome.php' saved [7305]
I then moved on to temporary disconnect the ClearPass box from the subnet (in ESX) and re-used it's IP address on the new host to ensure traffic from the client is recieved. Tcpdump showed packets recieved from the controller. I also set up a netcat listener on port 443 for giggles, but as expected a session was not established from the test laptop.
Something is going wrong with the return traffic, so I guess I should refocus my efforts back to the controller. Is the Captive Portal configuration, faulty or not, preventing tests like this or does the above give you any ideas on what to test next?