Update - I've made some modifications to the configuration and have realized a few things:
- Once L2 auth occurs you cannot place a user in role that redirect to a captive portal if that role is on the same controller as where the L2 auth occurred. It never triggers. I can understand why this would be the case, but an open SSID auth's as well, its simply a default allow and works in that scenario.
- Once L2 auth occurs you cannot place a user in role that uses a redirect to a GRE tunnel. User never redirects.
- Once L2 auth occurs you CAN place a user in a role/vlan that redirects down the GRE tunnel (via the vlan derivation, not a redirect ACL). The user shows up on the DMZ controller under the guest initial role, but at this point the guest initial role captive portal assignment does not work.
This is where I am. I can see the user in an initial role state however I cannot seem to trigger an the initial role to use the captive portal. I've used our production guest initial role and captive portal config for this testing (included below).
user-role SLF_TEST_Logon
captive-portal "11111_SLF_AAA_Dev"
access-list session global-sacl
access-list session apprf-SLF_TEST_Logon-sacl
access-list session captiveportal
***********never get to this role
user-role SLF_TEST_Authenticated_Guest
access-list session global-sacl
access-list session apprf-SLF_TEST_Authenticated_Guest-sacl
***********
aaa profile "default"
initial-role "SLF_TEST_Logon"
radius-accounting "SLF_Guest_DEV_Clearpass"
radius-interim-accounting
rfc-3576-server "x.x.x.x"
enforce-dhcp
!
aaa authentication captive-portal "11111_SLF_AAA_Dev"
default-role "SLF_TEST_Authenticated_Guest"
server-group "SLF_Guest_DEV_Clearpass"
redirect-pause 3
guest-logon
no logout-popup-window
protocol-http
show-fqdn
login-page "http://x.x.x.x/weblogin.php/4"
no enable-welcome-page
!
aaa authentication captive-portal "default"
!
At the end of the day, I need the initial user role on the DMZ controller to trigger the captive portal initiation. Any suggestions would be very helpful.
Updated diagram included, thanks in advance.