Hello experts
Problem: The Static Captive Portal redirection is not happening when my user role is assigned. Even when browsing to a http site on phone does not cause redirect.
Smart phone connected to AP and got IP address. AAA MAC auth was done to Cisco ISE AAA server. Cisco ISE server retuened the role 'guest-ISE-portal'. The next step would be that the Aruba controller redirects the client to the captive portal that is assigned to the role, not so?
I am quite new to this and I cannot find the relationship between role and captive portal profile, because as you can see in my config, there is a circular relationship (they refer to each other - I have probably done something crazy) - please help.
Below is the client details - I can see that my expected role is assigned
(Aruba7210) # show user-table ip 10.172.9.1 detail
Name: 84-55-A5-FC-5B-2C, IP: 10.172.9.1, MAC: 84:55:a5:fc:5b:2c, Age: 00:00:20
Role: guest-ISE-portal (how: ROLE_DERIVATION_MBA_VSA), ACL: 73/0
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ISE-VIP-NextDC
Authentication Servers: dot1x authserver: , mac authserver: ISE-VIP-NextDC
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_MBA_VSA
VLAN Derivation: MBA Aruba VSA
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1
Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
IP User termcause: 0
phy_type: a-VHT-80, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 18, Assigned: 18, Current: 18 vlan-how: 11 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
SlotPort=0x2100, Port=0x1000a (tunnel 10)
Essid: Blizzard, Bssid: 44:48:c1:c9:ce:70 AP name/group: AP1/default Phy-type: a-VHT-80 Forward Mode: tunnel
RadAcct sessionID:84-55-A58455A5FC5B2C-5A1B5638-AB528
RadAcct Traffic In 2643/234815 Out 591/124305 (0:2643/0:0:3:38207,0:591/0:0:1:58769)
Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Profiles AAA:Blizzard-aaa_prof, dot1x:, mac:MAB-Auth CP:n/a def-role:'guest-ISE-portal' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1511740983 (Mon Nov 27 10:03:03 2017)
Core User Born: 1511740982 (Mon Nov 27 10:03:02 2017)
Upstream AP ID: 0, Downstream AP ID: 0
User Agent String:
Max IPv4 users: 2
L3-Auth Session Timeout from Radius: 0
Mac-Auth Session Timeout Value from Radius: 0
Dot1x Session Timeout Value from Radius: 0
CoA Session Timeout Value from Radius: 0
Dot1x Session Term-Action Value from Radius: Default
CaptivePortal Login-Page URL from Radius: N/A
Reauth-interval from role: 0
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0
mac auth server: ISE-VIP-NextDC, dot1x auth server: N/A
Address is from DHCP: yes
Per-user-log pointer 0x150c3b4 (id 3), num logs 21
Role assigment:
L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a
DHCP role: n/a, Default role: guest-ISE-portal, Cached role: n/a
Current Role name: guest-ISE-portal, role-how: ROLE_DERIVATION_MBA_VSA,
L2-role: guest-ISE-portal (how: ROLE_DERIVATION_MBA_VSA), L3-role: n/a (how: n/a)
Role events:
1: l2 role->logon, mac user created
2: l2 role->guest-ISE-portal, Set AAA profile defaults
3: l2 role->guest-ISE-portal, station Authenticated with auth type: MAC based authentication
RTTS disabled: rtts_throughput 311760 rtts_discard 0 rtts_reest 0 rtts_keepalive 0
Just to keep things simple while troubleshooting (i.e. I am getting desperate now!) I made the firewall any/any - I want to secure that of course, but that is the next thing. Here are the rights for that role
(Aruba7210) #show rights guest-ISE-portal
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-ISE-portal'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 73/0
Openflow: Disabled
Max Sessions = 65535
Check CP Profile for Accounting = FALSE
Captive Portal profile = Blizzard-cp_prof
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-guest-ISE-portal-sacl session
3 any-any session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-guest-ISE-portal-sacl
---------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
any-any
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Yes Low 4
Expired Policies (due to time constraints) = 0
And finally, the captive portal profile that I am using (and I have tinkered around with various settings - there are too many to choose from and not sure of their impact)
(Aruba7210) #show aaa authentication captive-portal Blizzard-cp_prof
Captive Portal Authentication Profile "Blizzard-cp_prof"
--------------------------------------------------------
Parameter Value
--------- -----
Default Role guest-ISE-portal
Default Guest Role guest-ISE-portal
Server Group Blizzard_srvgrp-tsl86
Redirect Pause 10 sec
User Login Enabled
Guest Login Disabled
Logout popup window Enabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Max Authentication failures 0
Show FQDN Enabled
Authentication Protocol PAP
Login page https://guest.****************:8443/portal/g?p=9dQ7EkvlqbWGRixNAzYJ85E6Rg
Welcome page /auth/welcome.html
Show Welcome Page No
Add switch IP address in the redirection URL Disabled
Adding user vlan in redirection URL Disabled
Add a controller interface in the redirection URL N/A
Allow only one active user session Disabled
White List N/A
Black List N/A
Show the acceptable use policy page Disabled
User idle timeout N/A
Redirect URL N/A
Bypass Apple Captive Network Assistant Disabled
URL Hash Key N/A