Wireless Access

Hi guys,

 

I was just playing around with some AOS8 code (8.3.0.1) and ran into a strange behaviour. Until now I have no clue whats wrong.

Here is my test-setup:

There are two redundant vMM with two MD (7010) connected to them. 
I have a Guest SSID which is redirecting to a Clearpass Cluster. Both (Controller and CPPM) have official (trusted) certs installed. The cert on the Controller is bound in the web-server profil as the captive portal cert.
I have a Role which redirects the device to the captive portal with all necessary Policies.
So far so good (i thought) :)

I tested the guest network with an iPhone 6s, iPhone 6 and 7 (all got the same IOS version). All of them were working fine. I connected to the SSID and got the automatic redirect to the external captive portal - and i can login properly.

So I tested it with an iPhone 8 and iPhone X. With these two devices I didn't get redirected to the cp. They have the same IOS version as the other test devices. The manual redirect (browse a webpage in the browser) doesn't work either - but when I enter the URL of the CPPM captive portal, I can reach it...

 

I don't have any clue in which way I can troubleshoot this behaviour any further.

Is anyone facing the same thing?

Can you share your ACL rules under the role ?
Can you confirm that the device is getting the correct DNS server?
Can you reach clearpass using the IP instead of the dns name?
Did you enabled the apple CNA ?
Sent from Mail for Windows 10

Hey,

 

here are my answers of your questions:

 

Can you share your ACL rules under the role ?
initial user role: guest-selfreg-cppm-cp (logon-control, allow-cppm, captive portal). 

Logon-control and captive-portal are default policies. 
allow-cppm = allow http and https to CPPM IP(s)

 

Can you confirm that the device is getting the correct DNS server?

Yes, all of the dievices get the same DNS Server IP

 

Can you reach clearpass using the IP instead of the dns name?
yes, i can

Did you enabled the apple CNA?

no, not at the moment. but this afternoon for testing purposes - without any difference in the test result.

Try moving up the captiveportal ACL

Sent from Mail for Windows 10

[EDIT]

Hi just changed the order of the ACLs in the user-role but the behaviour is more or less the same. After I changed the order, the client isn't able to get to the captive-portal page because of a redirect loop.

 

I also tried to change the DNS name to an IP in the captive portal profile - without any impact.

I assume you've fixed this issue but the redirect loop happens when you have the captiveportal ACL above the ACL allowing access to your CPPM servers. The captiveportal ACL needs to be below the one allowing access to CPPM.

Hey did you happen to get this resolved? I am running into a very similar issue. 

alaskarob, what's the exact issue you're running into? What OS and what kind of topology for your controllers?

We have two vMMs and two MDs 7010s in a cluster running 8.3.0.4. The controllers are configured with a guest SSID with a captive portal redirect to Clearpass. All of our IOS/OSX devices are redirecting without any issues, however windows 10 devices are not redirecting. The windows 10 can browse to the captive portal page manually but the auto-redirect is not working. 

 

Thanks!

Can you post the config for your initial role?

Hi

 

I have the same issue. Android and iPhone get redirected but Windows and Mac OS does not. But if I enter FQDN to Captive Portal login page it shows on booth Mac and Windows.

 

Did you solve this?