If you think it's your policy rules, you may be right. On the Policy Rules tab on your *auth* policy role, I would check the following:
- Is the "Inherit filter rules" checked at the top of the page?
- Do you have AP or Custom rules checked?
- What rules do you have in place? A screenshot would be helpful
The question is whether that information reaches the controller.
Please check the client reports (GUI > Reports > Clients > By VNS) and make sure that the client has the green lock icon on the left (authenticated) and whether the correct role is shown.
If that is correct you'd to a simple ping from the client to see whether it is a DNS issue.
ping google.com and see whether the address resolution is working.....
# ping google.com
Pinging google.com [22.214.171.124] with 32 bytes of data:
Thanks for the info on 10.11, this was available when advised to upgrade but I was told to only go as far as 10.01 as you have mentioned as well. I just cleared the device from NAC and rejoined it to the ECP. The device is again registered in the Authenticated Guest devices End-System Group on the NAC. I have also checked client report as mentioned and all is again appearing as it should, Green Lock and correct role of Guest. Only unable to ping by address or name and of course without this there is no browsing. I am going to review the rules and try what Steve is using to see if something shakes. Client in use is a windows 7 laptop that connects and works in all other testing but when joined to this guest ECP. Still digging Thanks
Ok so we removed the Policy Rules to allow all traffic and isolated the browsing problem to what appears to be a redirection issue.
Additionally we ran a side by side test directly connecting the same laptop to the wire to see if the problem was isolated to the wireless ECP and did locate an issue with a static route in our firewall.
Once corrected we are now able to browse from the wireless ECP (still no policy rules) but continue to get intermittent results. It feels like we are being filtered somehow as some sites can easily be browsed but others are not. Will continue to test and put policy rules back in place to see if anything changes.