Security

I have a guest wireless network with a clearpass captive portal, and I'm having various issues with the OWE side of things.

With "Enhanced Open" on, my understanding is it turns on Opportunistic Wireless Encryption (OWE), which advertises the RFC8110 functionality for guests to establish bidirectional encryption. The transition mode creates a hidden SSID "_owetm_SSID123456" and tells capable clients to connect to that instead.

When this first came up, I was seeing pretty obvious failures in clearpass because the service catagorization wasn't recognizing the SSID.

Initially I tried just turning off "Enhanced Open" on the network, but that actually seemed to completely break the captive portal automatically appearing for anyone now, rather than just the owe clients.

I turned Enhanced Open back on and created a new service in Clearpass, to catagorize the new _owetm_SSID123456 SSID. Regular users are seeing the captive portal again, but OWE clients still are not. Those OWE clients are getting the correct role,VLAN and IP address in both clearpass and the Aruba APs. I had one manually navigate to the captive portal which loaded, when they did the submit action they were correctly redirected to the captiveportal-login.company.com.au - but it showed a 404 failure as if Clearpass had rejected the access request (screen cap attached).

I'm at a bit of an impasse in troubleshooting, the captive portal is quite annoying in that it's behaviour isn't consistent with my expectations. I have a Pre-Auth role that has an access rule of "Enforce Captive Portal", and the users are getting assigned that role - but not seeing the portal.

Any ideas?

There is no difference from CPPM's perspective between the TM BSS and the OWE BSS outside of the VSA value being different. There is no need for a separate service. Either remove the SSID rule from the service, or add the TM SSID using belongs to or regex.

I've modified the service to use the "BELONGS_TO" operator and added the second SSID, but I stll have the same issues;

An OWE client is not automaticall redirected to the captive potarl.

And;

Even if the owe client manually navigates to the captive portal URL and submits the form, they get a 404 when their device submits the "https://captiveportal-login.company.com.au/cgi-bin/login" url.

Anything else I'm missing?

Based on your observation, client not redirected and no proper response for the login URL, it looks like the captive portal role is not properly applied. Can you check in the cases of legacy client and OWE client what the actual role is that is appied for the client (show clients, assuming you are on Instant)? Do you return the Pre-Auth role based on a MAC authentication (for bypass/MAC caching scenario)? Or do you rely on a 'reject' or no MAC authentication?

In parallel, can you please open an Aruba support case as well so they can verify what may be going wrong here?

Clearpass is configured to return a Preauth role if MAC auth fails, which it does (cp1.png). I can see that the troublesome clients end up correctly on that role, which contains the "Enforce captive portal" option (cp2.png). The client certainly is on the correct VLAN with the correct IP, because they can manually navigate to my captive portal URL - The issue is that it doesn't automatically appear. That said - It's very inconsistent and only happens on some devices, specifically OnePlus.

I spotted bug AOS-193901 and wonder if it's related. I'll raise a ticket with Aruba.

Greeting! I'm having this same exact issue, was wondering if TAC was able to correct the issue and what the resolution might have been?

I've not yet raised a ticket with Aruba support regarding this. I have another bug that's being investigated for which I suspect the resolution will be to upgrade to 8.6.0.0 - and then I'll re-test.

The nature of the guest portal for me is effectively staff BYOD, they send themselves a sponsor email to approve their own device. There aren't many experiencing this issue, I've been able to workaround this by manually modifying their endpoint attributes to pass mac auth so they never have to see the guest portal.