It seems that your MAB (what we call MAC Caching in ClearPass) does not work properly. I'm not an ISE expert, but from what I read in the documentation is the workflow quite similar to ClearPass:
- Client connects, goes through MAC authentication and is 'unknown' or does not belong to the GuestEndpoints group and gets in the pre-auth role to get redirected to the captive portal.
- Client goes through the captive portal authentication, on successful authentication the client MAC address is added to the GuestEndpoints group.
- When a client roams, new MAC auth happens, at that time because the client MAC address is now part of the group, the normal guest access (no captive portal) is returned.
Please check if the client is added to that GuestEnpoint group; if not, check in the captive portal part why it isn't and fix that.
If it is, check why the MAC auth doesn't return the guest role. For that, be aware that roles are case-sensitive in Aruba WLAN, and that if the returned role does not exist on the AP/controller, the default role will be applied... which likely is the one with redirects.
You may
check this video on how the guest + captive portal + mac caching workflow is supposed to work, where it uses ClearPass, but the steps should be similar with ISE.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 02, 2022 02:04 AM
From: Ricky Lee
Subject: roaming issue with Captive Portal
Hi Collin,
seems like after roaming, the roamed user got its role changed back to the pre-auth role.
what might causing this?
Original Message:
Sent: Aug 01, 2022 05:07 PM
From: Colin Joseph
Subject: roaming issue with Captive Portal
You said dynamic radius proxy and mab, but also captive portal. What is the workflow for that SSID?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Aug 01, 2022 05:03 PM
From: Ricky Lee
Subject: roaming issue with Captive Portal
Hi Collin, yes they are with radius dynamic proxy on. They have Aruba GRE per-ap tunnel to tunnel the vlan to the controller.
Original Message:
Sent: Aug 01, 2022 01:50 PM
From: Colin Joseph
Subject: roaming issue with Captive Portal
Are both IAPs in the same cluster?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Aug 01, 2022 05:47 AM
From: Ricky Lee
Subject: roaming issue with Captive Portal
Hi Guys, i have IAP-VPN setup with captive portal to an ISE server.
I have a roaming issue where everytime a client roams, captive portal server always ask for relogin.
i'm trying to tshoot on IAP side, roaming seems fine but however fine the roaming is, captive portal always ask for relogin.
other ssid with other security setup has no problem.
PS: I follow the configuration from this link:
How To: Cisco ISE Captive Portals with Aruba Wireless
it has weird setup with employee ssid + MAB but it the only way that it could work.