Security

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

I think you should add https:// in front of your redirection URL.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

Sorry just wanting to verify are you saying you believe I should REMOVE the https:// from in front of my redirection URL or I should put it in front of the URL because in the post I made it shows with https:// in front of the URL.

I think you should add https:// in front of your redirection URL.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

Sorry just wanting to verify are you saying you believe I should REMOVE the https:// from in front of my redirection URL or I should put it in front of the URL because in the post I made it shows with https:// in front of the URL.

I think you should add https:// in front of your redirection URL.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

please paste the output of "show port-access client detail" when the client is connected (and captive portal should be shown) to see what is actually applied to the port.

Do you have an IP on the switch interface vlan 222? If not, can you try to add that?

Sorry just wanting to verify are you saying you believe I should REMOVE the https:// from in front of my redirection URL or I should put it in front of the URL because in the post I made it shows with https:// in front of the URL.

I think you should add https:// in front of your redirection URL.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

Hello Herman,

I've added the port-access command and some new information below:

After adding the IP address on Vlan 222 I started getting a new error message BUT it would attempt to redirect error message is below the port-access output.

Show port-access client detail 

Downloaded user roles are preceded by *

 User Role Information

   Name                              : *AOS_DUR_Client_Guest-3034-24
   Type                              : downloaded
   Reauthentication Period (seconds) : 0
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 222
   Tagged VLANs                      :
   Captive Portal Profile            : use-radius-vsa_AOS_DUR_Client_Guest-3034-24
     URL                             : https://guest.client/guest/wired-guest.php
   Policy                            : ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24

Statements for policy "ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24"
policy user "ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24"
     10 class ipv4 "DNS_AOS_DUR_Client_Guest-3034-24" action permit
     20 class ipv4 "DHCP_AOS_DUR_Client_Guest-3034-24" action permit
     30 class ipv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24" action permit
     40 class ipv4 "Web-Traffic_AOS_DUR_Client_Guest-3034-24" action redirect captive-portal
   exit

Statements for class IPv4 "DNS_AOS_DUR_Client_Guest-3034-24"
class ipv4 "DNS_AOS_DUR_Client_Guest-3034-24"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
     20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
   exit

Statements for class IPv4 "DHCP_AOS_DUR_Client_Guest-3034-24"
class ipv4 "DHCP_AOS_DUR_Client_Guest-3034-24"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
   exit

Statements for class IPv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24"
class ipv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24"
     10 match tcp 0.0.0.0 255.255.255.255 10.24.x.x  (Publisher) 0.0.0.0 eq 80
     20 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Publisher) 0.0.0.0 eq 443
     30 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Subscriber) 0.0.0.0 eq 80
     40 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Subscriber) 0.0.0.0 eq 443
     50 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (VIP) 0.0.0.0 eq 80
     60 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (VIP) 0.0.0.0 eq 443
   exit

--------------------------------------------------------------------------ERROR MESSAGE--------------------------------------------------------------------------------------------------------

0030:00:57:35.18 DFP mdevMntr:DFP: parsed the HTTP User Agent 3
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_BAD_ID
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_closeConnection() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:0
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_closeConnection() from AppType:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:1
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_closeConnection() from AppType:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_negotiateConnection() returns
   status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL:doProtocol() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
-- MORE --, next page: Space, next line: Enter, quit: Control-C0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_SOCK_receive() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_SOCK_serverHandshake() returns
   status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

0030:00:57:35.16 SSL  tCaptivePortalHttpd:.
0030:00:57:35.16 SSL  tCaptivePortalHttpd:0
0030:00:57:35.16 SSL  tCaptivePortalHttpd:Resume state =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:sslHelloStateMachine() returns status
   =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:processClientHello3() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

0030:00:57:35.16 SSL  tCaptivePortalHttpd:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:00000000
0030:00:57:35.16 SSL  tCaptivePortalHttpd:Incompatible EC curves returned by
   SSL_setServerCert:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

0030:00:57:35.16 SSL  tCaptivePortalHttpd:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:14
0030:00:57:35.16 SSL  tCaptivePortalHttpd:c0
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSLSOCK_selectCipherSuiteV3:
   CipherSuite selected = 0x
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

please paste the output of "show port-access client detail" when the client is connected (and captive portal should be shown) to see what is actually applied to the port.

Do you have an IP on the switch interface vlan 222? If not, can you try to add that?

Sorry just wanting to verify are you saying you believe I should REMOVE the https:// from in front of my redirection URL or I should put it in front of the URL because in the post I made it shows with https:// in front of the URL.

I think you should add https:// in front of your redirection URL.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.

I don't see any class for Web-Traffic_AOS_DUR_Client_Guest-3034-24. And if it's not there, there will be no redirect. It probably should be something like: 10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80

If this does not solve the issue, it may be better to open a support ticket to have a look at the error messages. Those suggest there is a problem with a certificate, where I think it may have to do with a ECC or RSA certificate mismatch but not fully sure where.

Hello Herman,

I've added the port-access command and some new information below:

After adding the IP address on Vlan 222 I started getting a new error message BUT it would attempt to redirect error message is below the port-access output.

Show port-access client detail 

Downloaded user roles are preceded by *

 User Role Information

   Name                              : *AOS_DUR_Client_Guest-3034-24
   Type                              : downloaded
   Reauthentication Period (seconds) : 0
   Cached Reauth Period (seconds)    : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     : 222
   Tagged VLANs                      :
   Captive Portal Profile            : use-radius-vsa_AOS_DUR_Client_Guest-3034-24
     URL                             : https://guest.client/guest/wired-guest.php
   Policy                            : ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24

Statements for policy "ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24"
policy user "ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24"
     10 class ipv4 "DNS_AOS_DUR_Client_Guest-3034-24" action permit
     20 class ipv4 "DHCP_AOS_DUR_Client_Guest-3034-24" action permit
     30 class ipv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24" action permit
     40 class ipv4 "Web-Traffic_AOS_DUR_Client_Guest-3034-24" action redirect captive-portal
   exit

Statements for class IPv4 "DNS_AOS_DUR_Client_Guest-3034-24"
class ipv4 "DNS_AOS_DUR_Client_Guest-3034-24"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
     20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
   exit

Statements for class IPv4 "DHCP_AOS_DUR_Client_Guest-3034-24"
class ipv4 "DHCP_AOS_DUR_Client_Guest-3034-24"
     10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
   exit

Statements for class IPv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24"
class ipv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24"
     10 match tcp 0.0.0.0 255.255.255.255 10.24.x.x  (Publisher) 0.0.0.0 eq 80
     20 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Publisher) 0.0.0.0 eq 443
     30 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Subscriber) 0.0.0.0 eq 80
     40 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Subscriber) 0.0.0.0 eq 443
     50 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (VIP) 0.0.0.0 eq 80
     60 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (VIP) 0.0.0.0 eq 443
   exit

--------------------------------------------------------------------------ERROR MESSAGE--------------------------------------------------------------------------------------------------------

0030:00:57:35.18 DFP mdevMntr:DFP: parsed the HTTP User Agent 3
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_BAD_ID
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_closeConnection() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:0
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_closeConnection() from AppType:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:1
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_closeConnection() from AppType:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_negotiateConnection() returns
   status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL:doProtocol() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
-- MORE --, next page: Space, next line: Enter, quit: Control-C0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_SOCK_receive() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSL_SOCK_serverHandshake() returns
   status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

0030:00:57:35.16 SSL  tCaptivePortalHttpd:.
0030:00:57:35.16 SSL  tCaptivePortalHttpd:0
0030:00:57:35.16 SSL  tCaptivePortalHttpd:Resume state =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:sslHelloStateMachine() returns status
   =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL  tCaptivePortalHttpd:processClientHello3() returns status =
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

0030:00:57:35.16 SSL  tCaptivePortalHttpd:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:00000000
0030:00:57:35.16 SSL  tCaptivePortalHttpd:Incompatible EC curves returned by
   SSL_setServerCert:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

0030:00:57:35.16 SSL  tCaptivePortalHttpd:
0030:00:57:35.16 SSL  tCaptivePortalHttpd:14
0030:00:57:35.16 SSL  tCaptivePortalHttpd:c0
0030:00:57:35.16 SSL  tCaptivePortalHttpd:SSLSOCK_selectCipherSuiteV3:
   CipherSuite selected = 0x
0030:00:57:35.16 SSL  tCaptivePortalHttpd:

please paste the output of "show port-access client detail" when the client is connected (and captive portal should be shown) to see what is actually applied to the port.

Do you have an IP on the switch interface vlan 222? If not, can you try to add that?

Sorry just wanting to verify are you saying you believe I should REMOVE the https:// from in front of my redirection URL or I should put it in front of the URL because in the post I made it shows with https:// in front of the URL.

I think you should add https:// in front of your redirection URL.

class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit

class ipv4 DHCP
match udp any any eq 67
exit

class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit

aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php

class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit

policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit

aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit

please paste the output of "show port-access client detail"

or paste the details of DUR enforcement profile.

Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of  course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.

Hi, if you type the captive portal address directly in the client browser can you open it?  May be there is an ACL blocking that access.

I hope this helps

It's AOS-S 

Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008

is this for a CX switch or AOS-S? which model number?

Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.