Security

Hi AirHeads,

I need some help with a captive portal redirect loop issue, here is our setup:

7210 controller and ClearPass

- Preauth role configured with the following ACLs

- Captive portal profile configured with https://wifi.customer.com/guest/register.php

- Guest registration page (link above) is configured and reachable when on the LAN

- Guest WiFi is getting DHCP from controller and using public DNS servers. The public DNS has a record for "wifi.customer.com" that points to the private FQDN of the clearpass server. 

- The firewall is the gateway for the users

We connect to Guest WiFi and get an IP address. We open browser and get redirected to page, but get error - Too many redirects

Not sure where the redirects are happening, I need some insight here. It's a bit of a complicated setup, customer's requirements, but causing some problems on my end.

I moved it to the top and now I get timeouts for the HTTP_GET. Doesn't say redirect loop just doesn't load now.

while on the LAN with the internal DNS servers, I can resolve the page no problem. When I use the public DNS servers, even though the address is technically public, it times out or says redirect loop.

And the ClearPass server is routable from the guest network?

Can you ping it from a guest client?

Yeah, I can ping the Guest VLAN interface on the controller and I can ping the ClearPass IP. I tested the DNS server by statically assigning it while on the LAN and I can resolve the address. Something between the redirect and the public DNS resolution gets funny, but not sure what/where.

could it be a problem having all the info appended at the end of the url?

Is your allow https to ClearPass ACL referencing a DNS name or IP address?

it is the IP address of the clearpass publisher and subscriber.

Just for the sake of troubleshooting, can you change the client to internal DNS and see if you are redirected?

Configured internal DNS for Guest device, cannot get to the splash page. Added Allowall ACL to the pre-auth role, cannot get to splash page OR to any external websites.

I'm leaning toward a routing issue now. Customer just built new VLAN for Guest network and routing may not be working from Guest VLAN or from firewall.

I'm going to have customer look into the firewall config/routing config for the new VLAN. I unfortunately don't have access. I will review with customer and will post any findings/resolutions here.

Issue appears to be routing on the local network. The path the traffic took, was not the same path it used to come back. We found that we saw the SYN, but no SYN ACK. We were able to configure symmetric routing and traffic started to flow no problem. 

We are going to continue to test, but I think the routing has been resolved.

Thanks for the help.

Redirect loop normally occurs when you are not using a Microsoft Valid Signed Certificate but an internal certificate but also never use the box template pre-installed as this too can cause a redirect loop

does this already resolved?

i got same error also.

Yes, this issue was resolved at this client's site. The issue was asymmetric routing, the traffic coming into clearpass took a different route out, so we would notice SYN packets, but no SYN ACK packets from the same IP.

Do you have the MGMT and DATA ports configured on ClearPass? If both are configured, by default, all traffic will use the Data port to pass all traffic except traffic sourced from the same subnet as the Management port. So if your sending traffic to the Management address from another subnet, it may respond from the Data port. 

You can verify the routing table in the ClearPass CLI, I think the command is: network ip list

Another thing to check is your basic configuration on the controller:

1. Make sure you have an IP interface for the VLAN trying to get redirected to the captive portal

2. Make sure you have an ACL allowing captive portal and clearpass:

logon-control

captive-portal

allow-clearpass (allow clearpass via HTTP/HTTPS)

3. Make sure your local network has a route to ClearPass and ClearPass has a symmetric route back.