Wireless Access

Hi, Guys,

We created a Captive Portal SSID, but the user cannot see the Portal. All Internet website is denied. If we change the AAA Initial Role from guest-logon to guest, it was able to open Internet websites.

The user can resolve DNS, ping external address, but cannot open a website and cannot ping the controller IP. From controller I can ping the device IP. 

It's a tunnel SSID. The DHCP and Gateway are an external device (PA firewall).

Follow the config:

user-role "XXX Public-guest-logon"
captive-portal "XXX Public-cp_prof"
dpi disable
web-cc disable
access-list session global-sacl
access-list session "apprf-XXX Public-guest-logon-sacl"
access-list session logon-control
access-list session captiveportal
!
aaa profile "XXX Public-aaa_prof"
initial-role "guest-logon"
!
aaa authentication captive-portal "XXX Public-cp_prof"
server-group "XXX Public_srvgrp-xve68"
protocol-http
!
wlan ssid-profile "XXX Public-ssid_prof"
essid "XXX Public"
ht-ssid-profile "XXX Public-htssid_prof"
!
wlan virtual-ap "XXX Public-vap_prof"
aaa-profile "XXX Public-aaa_prof"
ssid-profile "XXX Public-ssid_prof"
vlan 954
!

What kind of troubleshooting can we do?

Regards,

Paulo R.

aaa profile "XXX Public-aaa_prof"
initial-role "guest-logon"
!

> the initial role should be "XXX Public-guest-logon", presuming that you have created a captive portal "XXX Public-cp_prof"

Hi,

Yes. We changed just to test. But "guest-logon" and "XXX Public-guest-logon" has the same policies... 

This is not the problem, unfortunately. Have another idea?

Even if the problem is external of the Controller. Where can we look in these cases?

Does the controller have an ip address in vlan 954?

If not > create a ip address on it.

If yes and different from the controllerip > #ip cp-redirect-address <vlan954 IP>

On what type of client you are testing?

Hi @RoydeJager,

I fix it with adding IP Address in VLAN of Captive Portal users...