Please check that you are not hitting a known issue where the browser is not allowed to validate the captive-portal certificate. The symptoms are: user receives an IP-address, when pointing your browser to a web-site you see a redirect (the browser shows in the status-bar connecting to securelogin.arubanetworks.com), after about a minute the session times out.
Some background:
What happens is that the captive portal is protected with a SSL certificate, by default this is a built-in certificate in the controller for securelogin.arubanetworks.com. Since recently, this certificate has a so-called 'OCSP' reference. This OCSP reference allows the browser to on-line validate the certificate. Some recent browsers and operating systems do no longer allow SSL-connections when the certificate contains an OCSP server, but the server cannot be contacted to validate the certificate. It will just terminate the connection, without a useful error message.
So what is needed, is that you allow traffic to the OCSP servers of your certificate provider in te logon-role. The OCSP servers can be found when you click on the certificate 'lock' in you browser, and view the details.
When you use the default certificate, which is not really recommended; better use your own domain-name and certificated for the captive portal, the ocsp server from ArubaOS 6.1 is: ocsp.comodoca.com. You need to allow this traffic, even when the user is still unauthenticated by the captive portal.
There are two ways to fix this for the built-in certificate (modify IP and hostnames when you use another certificate with a different CA):
Option 1) QUICK: Permit on IP-basis traffic to ocsp.comodoca.com. Paste the following lines in your config:
ip access-list session logon-control
any host 91.209.196.169 svc-http permit
any host 91.209.196.169 svc-https permit
any host 91.199.212.169 svc-http permit
any host 91.199.212.169 svc-https permit
any host 178.255.83.1 svc-http permit
any host 178.255.83.1 svc-https permit
Be warned that the IP-adresses are subject to change without any prior notification. This is in control of the Comodo CA. Check the IP-adressess with nslookup:
C:\Windows\System32>nslookup ocsp.comodoca.com
Non-authoritative answer:
Name: ocsp.comodoca.com
Addresses: 91.209.196.169
178.255.83.1
199.66.201.169
Option 2) PREFERRED: Use the Walled Garden feature, introduced in ArubaOS 6.1. This allows access based on the domain name:
netdestination ocsp.usertrust.com
name ocsp.usertrust.com
!
aaa authentication captive-portal default
white-list ocsp.usertrust.com
Make sure that you change 'default' in the before-last line to the captive-portal that you created. When you used the WLAN wizard to create the captive portal, the captive-portal name will be your SSID-name, followed by -cp_prof. If your SSID is Guest, the generated captive-portal profile will be called: Guest-cp_prof.
Please check the certificate that you are using, because this procedure only applies directly to a Comodo provided certificate, which is the default built-in certificate.