Wireless Access

Hi All, 

Hoping someone can help. Have this logged with TAC but not getting anywhere fast. We have migrated our campus APs and controllers to Central and converted to AOS10. This was done some time ago. Recently we've noticed that that the captive portal was no longer working. Upon investigation it looked as simple as the role being wrong that was sent from Clearpass. This was amended and now the captive portal redirects but the page cannot be displayed. 

We see the portal redirect happen but then page cannot be displayed.

A packet capture suggests the the AP rewrites the DNS query for our captive portal to the local AP I'm connecting to.

The certificate handshake completes successfully. 

Then we see some retransmissions and the page the try and redirect to port 4343 which isn't configured eg-

https://(mycaptiveportal.domain.com):4343/guest/captive_portal.php

The SSID is tunnelled from the AOS10 APs to the gateway cluster

The cert including the chain and private key is applied and confirmed CN is correct to match the fqdn we're using on the gateway and APs.

If I remove the certificate from the APs the portal presents just fine but the IP is not rewritten by the controller and when you've completed your registration the portal just refreshes back to the start as if the success message doesn't reach the AP/ Controller.

AOS 10 will always default to the AP performing the authentication and redirection when using a captive portal if you've configured the WLAN through the wizard.  This applies even when the guest network is tunneled, the usage of a Gateway just means that the traffic is tunneled to the GW rather than bridged locally.  When the captive portal profile is created, a user role with the same name will also be created and will be used as the pre-auth user role on the WLAN.  If you are enabling MAC auth for MAC caching on the guest network then you HAVE to return that pre-auth role back as from ClearPass if the expectation is for the current session to go through the captive portal.

The "captive portal" certificate needs to be specified on the AP group, this defaults to the securelogin.hpe.com certificate that is provided through Central but can be replaced by your custom certificate.  Whichever certificate is used, that is the FQDN that will be used to provide the redirect upon initial connection as well as where the login will be sent by the client when completing the captive portal login process.

Hi All, 

Hoping someone can help. Have this logged with TAC but not getting anywhere fast. We have migrated our campus APs and controllers to Central and converted to AOS10. This was done some time ago. Recently we've noticed that that the captive portal was no longer working. Upon investigation it looked as simple as the role being wrong that was sent from Clearpass. This was amended and now the captive portal redirects but the page cannot be displayed. 

We see the portal redirect happen but then page cannot be displayed.

A packet capture suggests the the AP rewrites the DNS query for our captive portal to the local AP I'm connecting to.

The certificate handshake completes successfully. 

Then we see some retransmissions and the page the try and redirect to port 4343 which isn't configured eg-

https://(mycaptiveportal.domain.com):4343/guest/captive_portal.php

The SSID is tunnelled from the AOS10 APs to the gateway cluster

The cert including the chain and private key is applied and confirmed CN is correct to match the fqdn we're using on the gateway and APs.

If I remove the certificate from the APs the portal presents just fine but the IP is not rewritten by the controller and when you've completed your registration the portal just refreshes back to the start as if the success message doesn't reach the AP/ Controller.

Hello,

Could you please share the output of "show captive-portal-domains" from the AP?

Regards, Sajin

ACMX#1499, ACX - CA