Wired Intelligent Edge

Hi Guys,

We have setup captive portal on thursday and was working over the weekend.

i am not sure what has changed but now captive portal wont even launch when you connect to the SSID.

only time captive portal works is if manually type in the webaddress of the portal. 

i get the auto generate userid and password but i still cant access the internet. 

Any suggestion would be greatly appreciated.

Please start here:  http://www.arubanetworks.com/techdocs/Troubleshooting/ArubaOS/Captive_Portal/Web_Help_Index.htm

thanks Collins,

i will go through those steps.

so it turns out guest redirect is working.

for some reason old devices which are associated are caching the guest account i created to that device which is causing the issue.

i have cleared the mac and AD cache but its still associating expire user accounts to that machine.

is there anyway i can clean this up?

i have already cleaned up the cache and web history on my test machine.

is this going to be a re-occuring thing?

So it is caching those credentials in the browser?  You need to look at those browser settings..

no its caching the creds in clear pass.

so when i check the logs its caching creds associated for that machines mac address.

You didn't say you had clearpass...

oops sorry.

does that change anything?

If ClearPass is caching the credentials, you won't be redirected to Captive Portal until cache time expires (that is the purpose of caching credetials :)).

One of the things you can do to delete endpoint cache is to go to Configuration -> Endpoints & delete the endpoint you want to remove chace for or wait till cache period expires (can be few hours or days depending how how you've set it up)

i have done that.

i have deleted the endpoint which makes it work.

i have set the expiration period 24 hours.

i created a test account on friday and by monday the account has expired but the machine still had that association with that expired account due to which authentication page didnt rock up.

Any suggesstion on how to change that?

If you go to Configuration -> Endpoints -> Attributes, what is the value of endpoint that has associated expired account (depending upon CPPM version, either it will in EPOTCH or standard time value)? Your Guest account and cache value can have different values.

Also, if you connect with an expired account, what does access tracker on ClearPass shows. How it is evaluating the request.

---

@Jibran.Azizwrote:

If you go to Configuration -> Endpoints -> Attributes, what is the value of endpoint that has associated expired account (depending upon CPPM version, either it will in EPOTCH or standard time value)? Your Guest account and cache value can have different values.

 

Also, if you connect with an expired account, what does access tracker on ClearPass shows. How it is evaluating the request.

---

i have attached the screenshot of the endpoint i am using to connect to guest value.

not entirely sure what you mean by above sorry.

when i connect with expired account: Failed to get value for attributes=[AccountEnabled, AccountExpired]

Not sure which timezone you are in but from attached screenshot, your MAC cache still has 6 hours to expire for my timezone AEST.

By default, MAC caching will not look for your Guest account status. It will see if MAC caching is still valid and user (mac address) authenticates successfully, it will allow you access to the network.

---

@Jibran.Azizwrote:

Not sure which timezone you are in but from attached screenshot, your MAC cache still has 6 hours to expire for my timezone AEST.

 

By default, MAC caching will not look for your Guest account status. It will see if MAC caching is still valid and user (mac address) authenticates successfully, it will allow you access to the network.

---

Same timezone as you.

How can i verify how long a MAC address of the machine is valid.

Check attribute # 4. Mac-auth-expiry.

Did you delete it from the controller's user table after disconnecting the device?

---

@cjosephwrote:

Did you delete it from the controller's user table after disconnecting the device?

 

---

the account by default expires after 24 hours so i dont delete it. once we go live with it i would assume leaving the account would not cause any issue.

but to try and rectify this issue yes i did delete the account as well as the endpoint(my test machine) from clearpass db.

hope this answers your question

Again, depending upon your config, your inactive clients' session can stay on controller forever. If a client has a sesson on controller and he tries to connect, Controller wont authenticate him again and will be allowed access to the network.