Wireless Access

Hi,

I am looking for additional troubleshooting steps to try and identifiy why clients on what appears to be random basis are not getting redirected to an internal website after a successful captive portal authentication. The client is approved in CPPM but is not acctualy provided access to the network.

The scenario is:

guest Aceess is sponsored

The sponsor approves access

the CPPM shows access is approved

The client web page refreshes and the client clicks the button to move forward

The client should then be redirected to an internal company web page (more than 90 percent of the time this works)

 - sometimes the client will not be redirected, and the client receives "the network you are trying to use may require a logon"

This happens from time to time on random IOS, Android, Mac OS and Windows machines.

I have checked the cretificates, they are in good order.

Can someone provide possible next steps?

---

@AIRWIFI wrote:

Hi,

 

I am looking for additional troubleshooting steps to try and identifiy why clients on what appears to be random basis are not getting redirected to an internal website after a successful captive portal authentication. The client is approved in CPPM but is not acctualy provided access to the network.

 

The scenario is:

guest Aceess is sponsored

The sponsor approves access

the CPPM shows access is approved

The client web page refreshes and the client clicks the button to move forward

The client should then be redirected to an internal company web page (more than 90 percent of the time this works)

 - sometimes the client will not be redirected, and the client receives "the network you are trying to use may require a logon"

This happens from time to time on random IOS, Android, Mac OS and Windows machines.

 

I have checked the cretificates, they are in good order.

 

Can someone provide possible next steps?

---

When this problem occurs, if the user tries to access another website are they redirected back to ClearPass to authenticate?

Charlie,

when the user attempts to navigate away to another page they are redirected to the CPPM Portal page for Authentication.

---

@AIRWIFI wrote:

when the user attempts to navigate away to another page they are redirected to the CPPM Portal page for Authentication.

---

Okay, that confirms the user is not moved from the pre-auth role to the authenticated role.

What version of AOS is running on the controller? What version of ClearPass is running? Does ClearPass show an successful authentication to the controller via AccessTracker?

So i never see the client service indicating that the user has been Accpeted.

The CPPM is version 6.6.3.89660

and the Controller version is 6.5.1.9

---

@AIRWIFI wrote:

So i never see the client service indicating that the user has been Accpeted.

 

The CPPM is version 6.6.3.89660

and the Controller version is 6.5.1.9

---

Do you see the user being rejected?

No I acctualy dont see a reference to the service at all.

---

@AIRWIFI wrote:

No I acctualy dont see a reference to the service at all.

---

It sounds as though the controller is not triggered to authenticate the user.

You can use the command "show aaa authentication-server radius statistics" to watch the controller's attempts to authenticate guests via Radius. Since there's no accept/reject in ClearPass, it would show up on the controller as a timeout if the ClearPass portal page is getting the client to trigger the authentication attempt successfully.

Otherwise, you may need to turn on debugging to watch the client device's authentication attempts. It could be that they are hitting an idle timeout while waiting for the sponsor to approve access, or the device could be deciding to disconnect from the open SSID due to going to sleep, lack of Internet connectivity detected, or some other behavior. To enable the authentication debugging on the controller, enter the configuration terminal and apply the following config changes:

"logging level debugging security process authmgr"

"logging level debugging security subcat aaa"

When you notice the issue occur, "show log system 50" should give more insight into what went on.

Thanks for the help Charlie.

I will update this post when more information is gathered. 

Cappalli,

Some clients part of the time, are not correctly being authorized. 

Currently my log states the following for the client who is not actually being authorized

stm[4140]: <304003> <4140> <DBUG> |stm| read_station_statistics: ab:cd:ef:00:11:23 is not associated to 18:64:72:40:d2:b3; ignoring

---

@AIRWIFI wrote:

Currently my log states the following for the client who is not actually being authorized

 

stm[4140]: <304003> <4140> <DBUG> |stm| read_station_statistics: ab:cd:ef:00:11:23 is not associated to 18:64:72:40:d2:b3; ignoring

 

 

---

That debug message indicates that the station is not associated, thus is can not be authenticated because it is no longer connected.

i recommend you open a TAC case for further debugging beyond what can be accomplished on the forum.