Occasional Contributor I

IAP GUEST, Captive portal (masqueraded)

Hi all,


I'm running around in circles here. Hope you guys can help.


- My IAP guest setup places guest users on a seperate VLAN that has no route to the internal network.


I have configured an external captive portal for the guest ssid.

I have created a role (pre-logon) that allows a sourcenat to the CPPM server.


If I connect to the guest ssid, I receive a correct network-issued IP address.

If I start a web browser and point it to a random site, I am redirected to the URL configured in the external caprive portal setting. The browser then times-out. No traffic is received from CPPM. The redirect is setup for http port 80, clearpass then should redirect to 443.

I can however ping the CPPM server.


If I test this in a vlan that is allowed to route to CPPM, all works fine. Somehow the IAP is not handling my traffic properly. Some config snippets below.


This is driving me nuts! Please help. Thank you!


wlan external-captive-portal Guest_portal_nl
port 80
url "/guest/taqa_guest_register_IAP_login.php"
auth-text ""


wlan ssid-profile TQ_GUEST
index 1
type guest
essid TQ_GUEST
opmode opensystem
max-authentication-failures 0
vlan 25
auth-server CPPM-NL
set-role-pre-auth TQ_GUEST-PREAUTH
rf-band all
captive-portal external profile Guest_portal_nl
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64


auth-survivability cache-time-out 24



wlan access-rule TQ_GUEST
index 4
rule any any match any any any permit



wlan access-rule TQ_GUEST-PREAUTH
index 5
rule match any any any src-nat









Trusted Contributor I

Re: IAP GUEST, Captive portal (masqueraded)

does the CPPM have a route back to your client subnet?

Contributor I

Re: IAP GUEST, Captive portal (masqueraded)

I have this issue and I think it is a bug in IE or how the CP redirect is done on IAP, if you use HTTPS with port 443 under your CP profile of your IAP you will see it will work.

I have noticed this behaviour only with the latest IE. You will not see this issue with Firefox or with Chrome when port 80 is configured in IAP.

Re: IAP GUEST, Captive portal (masqueraded)

Thanks for the note. Please open a TAC case so we can track the issue.
Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I

Re: IAP GUEST, Captive portal (masqueraded)



I have a macbook. tried it with Safari/Chrome 7 firefox. 


CPPM has no toute to the guest network, hence the src-nat rule.


I fiddled around with 443 & 80, that did not seem to help. i'll try again tomorrow when I'm on site.






MVP Expert

Re: IAP GUEST, Captive portal (masqueraded)

2015-01-05 09_54_16-Instant.png


2015-01-05 09_50_29-Instant.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
Trusted Contributor I

Re: IAP GUEST, Captive portal (masqueraded) wrote:

CPPM has no toute to the guest network, hence the src-nat rule.

sure, but it does have one to the the IP the traffic is NATed to?

Occasional Contributor I

Re: IAP GUEST, Captive portal (masqueraded)

Hi All,


CPPM does have a route to the AP's management address (& the VC address).


We performed some wireshark traces (at both ends of the AP) and the AP does not seem to NAT the traffic. the source address is still the guest's machine and not the AP despite the srv-nat rule.


- If I let the AP assign IP addresses, it works like a charm. I wiresharked the DHCP offer packet. Nothing strange found.




- I addedd the CPPM hostname to the walled garden.

- I changed the src-nat rule to base itself on a domain (FQDN in this case) opposed to an ip address.


It now seems to work.


I will backtrack tomorrow, to see which change actually solved this and report back.





Search Airheads
Showing results for 
Search instead for 
Did you mean: