Hi all,
I'm running around in circles here. Hope you guys can help.
- My IAP guest setup places guest users on a seperate VLAN that has no route to the internal network.
I have configured an external captive portal for the guest ssid.
I have created a role (pre-logon) that allows a sourcenat to the CPPM server.
If I connect to the guest ssid, I receive a correct network-issued IP address.
If I start a web browser and point it to a random site, I am redirected to the URL configured in the external caprive portal setting. The browser then times-out. No traffic is received from CPPM. The redirect is setup for http port 80, clearpass then should redirect to 443.
I can however ping the CPPM server.
If I test this in a vlan that is allowed to route to CPPM, all works fine. Somehow the IAP is not handling my traffic properly. Some config snippets below.
This is driving me nuts! Please help. Thank you!
wlan external-captive-portal Guest_portal_nl
server nac-portal-nl.mydomain.com
port 80
url "/guest/taqa_guest_register_IAP_login.php"
auth-text ""
auto-whitelist-disable
wlan ssid-profile TQ_GUEST
enable
index 1
type guest
essid TQ_GUEST
opmode opensystem
max-authentication-failures 0
vlan 25
auth-server CPPM-NL
set-role-pre-auth TQ_GUEST-PREAUTH
rf-band all
captive-portal external profile Guest_portal_nl
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
auth-survivability cache-time-out 24
wlan access-rule TQ_GUEST
index 4
rule any any match any any any permit
wlan access-rule TQ_GUEST-PREAUTH
index 5
rule 10.220.207.9 255.255.255.255 match any any any src-nat