I have a guest wireless network with a clearpass captive portal, and I'm having various issues with the OWE side of things.
With "Enhanced Open" on, my understanding is it turns on Opportunistic Wireless Encryption (OWE), which advertises the RFC8110 functionality for guests to establish bidirectional encryption. The transition mode creates a hidden SSID "_owetm_SSID123456" and tells capable clients to connect to that instead.
When this first came up, I was seeing pretty obvious failures in clearpass because the service catagorization wasn't recognizing the SSID.
Initially I tried just turning off "Enhanced Open" on the network, but that actually seemed to completely break the captive portal automatically appearing for anyone now, rather than just the owe clients.
I turned Enhanced Open back on and created a new service in Clearpass, to catagorize the new _owetm_SSID123456 SSID. Regular users are seeing the captive portal again, but OWE clients still are not. Those OWE clients are getting the correct role,VLAN and IP address in both clearpass and the Aruba APs. I had one manually navigate to the captive portal which loaded, when they did the submit action they were correctly redirected to the captiveportal-login.company.com.au - but it showed a 404 failure as if Clearpass had rejected the access request (screen cap attached).
I'm at a bit of an impasse in troubleshooting, the captive portal is quite annoying in that it's behaviour isn't consistent with my expectations. I have a Pre-Auth role that has an access rule of "Enforce Captive Portal", and the users are getting assigned that role - but not seeing the portal.
Any ideas?