Wireless Access

Hi everyone,

We've been moving over to a separate ArubaOS 8 environment with Clearpass (6.10.7) hosting the guest captive portal for the guest wifi service.

Ever since we started moving clients over from AOS6 to AOS8, we've heard of complaints that the captive portal either doesn't load right away or it takes so long that they give up.  MAC authentications for previously authenticated clients works perfectly though.  When we test on the AOS6 environment the portal loads almost instantly after associating to it.  I've experienced this issue on AOS8 at times but not consistently.

The two environments do have a slightly tweaked role but nothing that should be blocking the webpage from loading for the clients.  These are the pre-authentication roles for AOS6 and AOS8 respectively:

AOS6
user-role MFC-Guest-logon
captive-portal "MFC-Guest-cp"
access-list session global-sacl
access-list session apprf-MFC-Guest-logon-sacl
access-list session logon-control
access-list session allow-ClearPass
access-list session captiveportal
!

AOS8
user-role MFC-GUEST-LOGON
access-list session CLEARPASS-PORTAL
access-list session captiveportal
access-list session GUEST-LOGON-ACCESS
captive-portal MFC-GUEST-CP
!

The ACLs are mostly default or basic in their functions to allow limited access before being authenticated.  The only odd thing that sticks out is that the captive-portal item is at the top of the list in the AOS6 role while the AOS8 role has it at the bottom.  Could this be the issue?

Another interesting thing we discovered during our staging of the AOS8 environment was that the captive portal page wouldn't load properly (kept refreshing itself) when the ACL "CLEARPASS-PORTAL" was lower in the list of positions in the role.  When we moved it to the top, the page loaded normally but we still have our ongoing, sporadic, delaying issue.

Thanks for any tips or suggestions.

Edit:  Forgot to add that this behavior is happening on Windows laptops, iPhones, and Android based phones.  So pretty much across the board.
Edit 2: The new AOS8 environment Guest SSID is also using Enhanced Open with backwards compatibility.


------------------------------
Jose
------------------------------

In general if I hear such issues it is either:
- Certificate issue (non-trusted certificate used somewhere on the controller or ClearPass)
- Blocked traffic (like OCSP)

If you can replicate it on Windows, you may run a Wireshark packet capture and in parallel use the browser tools to trace the browser requests an see where the delay is (unreachable URL/server, wrong redirection, invalid URL, untrusted request). The Wireshark shows DHCP, DNS, and where requests are going (think OCSP is not visible in browser trace).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 05, 2022 08:03 AM
From: Jose Robles
Subject: Guest captive portal taking very long time to load or not at all for some clients

Hi everyone,

We've been moving over to a separate ArubaOS 8 environment with Clearpass (6.10.7) hosting the guest captive portal for the guest wifi service.

Ever since we started moving clients over from AOS6 to AOS8, we've heard of complaints that the captive portal either doesn't load right away or it takes so long that they give up.  MAC authentications for previously authenticated clients works perfectly though.  When we test on the AOS6 environment the portal loads almost instantly after associating to it.  I've experienced this issue on AOS8 at times but not consistently.

The two environments do have a slightly tweaked role but nothing that should be blocking the webpage from loading for the clients.  These are the pre-authentication roles for AOS6 and AOS8 respectively:

AOS6
user-role MFC-Guest-logon
captive-portal "MFC-Guest-cp"
access-list session global-sacl
access-list session apprf-MFC-Guest-logon-sacl
access-list session logon-control
access-list session allow-ClearPass
access-list session captiveportal
!

AOS8
user-role MFC-GUEST-LOGON
access-list session CLEARPASS-PORTAL
access-list session captiveportal
access-list session GUEST-LOGON-ACCESS
captive-portal MFC-GUEST-CP
!

The ACLs are mostly default or basic in their functions to allow limited access before being authenticated.  The only odd thing that sticks out is that the captive-portal item is at the top of the list in the AOS6 role while the AOS8 role has it at the bottom.  Could this be the issue?

Another interesting thing we discovered during our staging of the AOS8 environment was that the captive portal page wouldn't load properly (kept refreshing itself) when the ACL "CLEARPASS-PORTAL" was lower in the list of positions in the role.  When we moved it to the top, the page loaded normally but we still have our ongoing, sporadic, delaying issue.

Thanks for any tips or suggestions.

Edit:  Forgot to add that this behavior is happening on Windows laptops, iPhones, and Android based phones.  So pretty much across the board.
Edit 2: The new AOS8 environment Guest SSID is also using Enhanced Open with backwards compatibility.


------------------------------
Jose
------------------------------

Hi Herman,

Thanks for the suggestions.  I'm leaning towards some kind of blockage but in terms of certificates, they are all valid on both the controllers and Clearpass.  The same Clearpass certificate is being used on our AOS6 environment which works as expected.  And when the captive portal does show up on a device like a laptop, the trusted symbol is shown on the browser.

Speaking of which, when the captive portal is delayed on a Windows laptop, the browser page gets stuck on the msftconnecttest.com URL.  Now I know that it should be able to resolve that URL and then the redirect to Clearpass occurs but for whatever reason, it just stays there.  Of course, this isn't repeatable each time which makes it more difficult to narrow down.

------------------------------
Jose
------------------------------

Original Message:
Sent: Dec 05, 2022 10:21 AM
From: Herman Robers
Subject: Guest captive portal taking very long time to load or not at all for some clients

In general if I hear such issues it is either:
- Certificate issue (non-trusted certificate used somewhere on the controller or ClearPass)
- Blocked traffic (like OCSP)

If you can replicate it on Windows, you may run a Wireshark packet capture and in parallel use the browser tools to trace the browser requests an see where the delay is (unreachable URL/server, wrong redirection, invalid URL, untrusted request). The Wireshark shows DHCP, DNS, and where requests are going (think OCSP is not visible in browser trace).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 05, 2022 08:03 AM
From: Jose Robles
Subject: Guest captive portal taking very long time to load or not at all for some clients

Hi everyone,

We've been moving over to a separate ArubaOS 8 environment with Clearpass (6.10.7) hosting the guest captive portal for the guest wifi service.

Ever since we started moving clients over from AOS6 to AOS8, we've heard of complaints that the captive portal either doesn't load right away or it takes so long that they give up.  MAC authentications for previously authenticated clients works perfectly though.  When we test on the AOS6 environment the portal loads almost instantly after associating to it.  I've experienced this issue on AOS8 at times but not consistently.

The two environments do have a slightly tweaked role but nothing that should be blocking the webpage from loading for the clients.  These are the pre-authentication roles for AOS6 and AOS8 respectively:

AOS6
user-role MFC-Guest-logon
captive-portal "MFC-Guest-cp"
access-list session global-sacl
access-list session apprf-MFC-Guest-logon-sacl
access-list session logon-control
access-list session allow-ClearPass
access-list session captiveportal
!

AOS8
user-role MFC-GUEST-LOGON
access-list session CLEARPASS-PORTAL
access-list session captiveportal
access-list session GUEST-LOGON-ACCESS
captive-portal MFC-GUEST-CP
!

The ACLs are mostly default or basic in their functions to allow limited access before being authenticated.  The only odd thing that sticks out is that the captive-portal item is at the top of the list in the AOS6 role while the AOS8 role has it at the bottom.  Could this be the issue?

Another interesting thing we discovered during our staging of the AOS8 environment was that the captive portal page wouldn't load properly (kept refreshing itself) when the ACL "CLEARPASS-PORTAL" was lower in the list of positions in the role.  When we moved it to the top, the page loaded normally but we still have our ongoing, sporadic, delaying issue.

Thanks for any tips or suggestions.

Edit:  Forgot to add that this behavior is happening on Windows laptops, iPhones, and Android based phones.  So pretty much across the board.
Edit 2: The new AOS8 environment Guest SSID is also using Enhanced Open with backwards compatibility.


------------------------------
Jose
------------------------------

It's hard to tell something useful without seeing the logs and linked to the capture. And yes, if it is not simple to reproduce it may be even harder to find the issue. May be good to have a look together with you. Your Aruba partner or Aruba Support are good candidates for that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 05, 2022 10:56 AM
From: Jose Robles
Subject: Guest captive portal taking very long time to load or not at all for some clients

Hi Herman,

Thanks for the suggestions.  I'm leaning towards some kind of blockage but in terms of certificates, they are all valid on both the controllers and Clearpass.  The same Clearpass certificate is being used on our AOS6 environment which works as expected.  And when the captive portal does show up on a device like a laptop, the trusted symbol is shown on the browser.

Speaking of which, when the captive portal is delayed on a Windows laptop, the browser page gets stuck on the msftconnecttest.com URL.  Now I know that it should be able to resolve that URL and then the redirect to Clearpass occurs but for whatever reason, it just stays there.  Of course, this isn't repeatable each time which makes it more difficult to narrow down.

------------------------------
Jose

Original Message:
Sent: Dec 05, 2022 10:21 AM
From: Herman Robers
Subject: Guest captive portal taking very long time to load or not at all for some clients

In general if I hear such issues it is either:
- Certificate issue (non-trusted certificate used somewhere on the controller or ClearPass)
- Blocked traffic (like OCSP)

If you can replicate it on Windows, you may run a Wireshark packet capture and in parallel use the browser tools to trace the browser requests an see where the delay is (unreachable URL/server, wrong redirection, invalid URL, untrusted request). The Wireshark shows DHCP, DNS, and where requests are going (think OCSP is not visible in browser trace).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 05, 2022 08:03 AM
From: Jose Robles
Subject: Guest captive portal taking very long time to load or not at all for some clients

Hi everyone,

We've been moving over to a separate ArubaOS 8 environment with Clearpass (6.10.7) hosting the guest captive portal for the guest wifi service.

Ever since we started moving clients over from AOS6 to AOS8, we've heard of complaints that the captive portal either doesn't load right away or it takes so long that they give up.  MAC authentications for previously authenticated clients works perfectly though.  When we test on the AOS6 environment the portal loads almost instantly after associating to it.  I've experienced this issue on AOS8 at times but not consistently.

The two environments do have a slightly tweaked role but nothing that should be blocking the webpage from loading for the clients.  These are the pre-authentication roles for AOS6 and AOS8 respectively:

AOS6
user-role MFC-Guest-logon
captive-portal "MFC-Guest-cp"
access-list session global-sacl
access-list session apprf-MFC-Guest-logon-sacl
access-list session logon-control
access-list session allow-ClearPass
access-list session captiveportal
!

AOS8
user-role MFC-GUEST-LOGON
access-list session CLEARPASS-PORTAL
access-list session captiveportal
access-list session GUEST-LOGON-ACCESS
captive-portal MFC-GUEST-CP
!

The ACLs are mostly default or basic in their functions to allow limited access before being authenticated.  The only odd thing that sticks out is that the captive-portal item is at the top of the list in the AOS6 role while the AOS8 role has it at the bottom.  Could this be the issue?

Another interesting thing we discovered during our staging of the AOS8 environment was that the captive portal page wouldn't load properly (kept refreshing itself) when the ACL "CLEARPASS-PORTAL" was lower in the list of positions in the role.  When we moved it to the top, the page loaded normally but we still have our ongoing, sporadic, delaying issue.

Thanks for any tips or suggestions.

Edit:  Forgot to add that this behavior is happening on Windows laptops, iPhones, and Android based phones.  So pretty much across the board.
Edit 2: The new AOS8 environment Guest SSID is also using Enhanced Open with backwards compatibility.


------------------------------
Jose
------------------------------

Original Message:
Sent: 12/5/2022 11:47:00 AM
From: Herman Robers
Subject: RE: Guest captive portal taking very long time to load or not at all for some clients

It's hard to tell something useful without seeing the logs and linked to the capture. And yes, if it is not simple to reproduce it may be even harder to find the issue. May be good to have a look together with you. Your Aruba partner or Aruba Support are good candidates for that.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 05, 2022 10:56 AM
From: Jose Robles
Subject: Guest captive portal taking very long time to load or not at all for some clients

Hi Herman,

Thanks for the suggestions.  I'm leaning towards some kind of blockage but in terms of certificates, they are all valid on both the controllers and Clearpass.  The same Clearpass certificate is being used on our AOS6 environment which works as expected.  And when the captive portal does show up on a device like a laptop, the trusted symbol is shown on the browser.

Speaking of which, when the captive portal is delayed on a Windows laptop, the browser page gets stuck on the msftconnecttest.com URL.  Now I know that it should be able to resolve that URL and then the redirect to Clearpass occurs but for whatever reason, it just stays there.  Of course, this isn't repeatable each time which makes it more difficult to narrow down.

------------------------------
Jose

Original Message:
Sent: Dec 05, 2022 10:21 AM
From: Herman Robers
Subject: Guest captive portal taking very long time to load or not at all for some clients

In general if I hear such issues it is either:
- Certificate issue (non-trusted certificate used somewhere on the controller or ClearPass)
- Blocked traffic (like OCSP)

If you can replicate it on Windows, you may run a Wireshark packet capture and in parallel use the browser tools to trace the browser requests an see where the delay is (unreachable URL/server, wrong redirection, invalid URL, untrusted request). The Wireshark shows DHCP, DNS, and where requests are going (think OCSP is not visible in browser trace).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 05, 2022 08:03 AM
From: Jose Robles
Subject: Guest captive portal taking very long time to load or not at all for some clients

Hi everyone,

We've been moving over to a separate ArubaOS 8 environment with Clearpass (6.10.7) hosting the guest captive portal for the guest wifi service.

Ever since we started moving clients over from AOS6 to AOS8, we've heard of complaints that the captive portal either doesn't load right away or it takes so long that they give up.  MAC authentications for previously authenticated clients works perfectly though.  When we test on the AOS6 environment the portal loads almost instantly after associating to it.  I've experienced this issue on AOS8 at times but not consistently.

The two environments do have a slightly tweaked role but nothing that should be blocking the webpage from loading for the clients.  These are the pre-authentication roles for AOS6 and AOS8 respectively:

AOS6
user-role MFC-Guest-logon
captive-portal "MFC-Guest-cp"
access-list session global-sacl
access-list session apprf-MFC-Guest-logon-sacl
access-list session logon-control
access-list session allow-ClearPass
access-list session captiveportal
!

AOS8
user-role MFC-GUEST-LOGON
access-list session CLEARPASS-PORTAL
access-list session captiveportal
access-list session GUEST-LOGON-ACCESS
captive-portal MFC-GUEST-CP
!

The ACLs are mostly default or basic in their functions to allow limited access before being authenticated.  The only odd thing that sticks out is that the captive-portal item is at the top of the list in the AOS6 role while the AOS8 role has it at the bottom.  Could this be the issue?

Another interesting thing we discovered during our staging of the AOS8 environment was that the captive portal page wouldn't load properly (kept refreshing itself) when the ACL "CLEARPASS-PORTAL" was lower in the list of positions in the role.  When we moved it to the top, the page loaded normally but we still have our ongoing, sporadic, delaying issue.

Thanks for any tips or suggestions.

Edit:  Forgot to add that this behavior is happening on Windows laptops, iPhones, and Android based phones.  So pretty much across the board.
Edit 2: The new AOS8 environment Guest SSID is also using Enhanced Open with backwards compatibility.


------------------------------
Jose
------------------------------