I think I have nailed this down to a AAA profile or user role issue. After finding this thread:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Roaming-Guests-Losing-DHCP-Lease/td-p/156368
User davidaVzB has the exact same issue I am facing. My captive portal SSID constantly disconnects users when they roam (sometimes even when they are idle), and they are unable to reconnect. We do have some slight differences, such as:
1. Band steering is enabled.
2. User Idle Timeout does not match DHCP lease (lease is 86400, idle timeout is 43200).
3. I have a 3400 controller, not 3600.
4. I am running 6.4.2.5 code, not 6.3.1.5
Every other point davidaVzB makes I have seen/configured as well. Today I began investigating his solution, which was to change his logoncontrol ACL to reference "user any udp 68 deny" instead of "any any udp 68 deny". My logoncontrol ACL already states "user any udp 68 deny", so his solution does not work for me.
I then tried to adjust my AAA profile for this SSID, first by changing the following to options that work on our guest SSID that does not have issues:
1. MAC Authentication Default Role changed from "cp_guest" to "guest".
2. 802.1X Authentication Default Role cahnged from "cp_guest" to "guest".
This did not do anything, as I still see the captive portal and disconnect while roaming. I then tried modifying:
3. Initial role changed from "cp_guest_logon" to "authenticated".
I now bypass the captive portal page and can roam without issue. So the problem seems to be within the Initial Role defined in the AAA profile I am using. Here are the ACL's in use on the initial role:
global-sacl/,apprf-cp-guest-logon-sacl/,logon-control/,captiveportal/
---
ip access-list session global-sacl
---
ip access-list session apprf-cp-guest-logon-sacl
---
ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
---
ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
---
I finally tried creating a test ACL called "test-logon-control" which had all lines except for "user any udp 68 deny". This also caused me to disconnect while roaming. As far as I can tell, "svc-dhcp" includes udp 67-68, so I should be allowing all DHCP traffic now.
At this point I am stumped. Is there anything else I can try, or something I am missing above?