My devices can connect and authenticate to the external captive portal successfully, but are unable to browse the internet. Please Help!!

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
My devices can connect and authenticate to the external captive portal successfully, but are unable to browse the internet. Please Help!! All appeared to be working fine a short while ago on version 9.12 but ever since upgrading to 10.01.06 this does not seem to work. We have two Identifi V2110 controllers. All appears to be the same for the Topology and Roles,I am thinking something must have changed in the policy rules to block this communication. Any help would be greatly appreciated.
Photo of Dean Ferraro

Dean Ferraro

  • 712 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Hello Dean, there are so many different ways to go with troubleshooting this. First question is: why didn't you upgrade to the latest code? I would move ahead to 10.11.02.0032 in case you are battling an old bug.

If you think it's your policy rules, you may be right. On the Policy Rules tab on your *auth* policy role, I would check the following:
  • Is the "Inherit filter rules" checked at the top of the page?
  • Do you have AP or Custom rules checked?
  • What rules do you have in place? A screenshot would be helpful
Here is what my guest network Auth Policy looks like ... note the allow/deny and the direction (In and Out).

Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Yikes! I was not aware of the bug. Thanks for the heads up Ron. I haven't spent any time looking at my reports since my upgrade so I didn't notice. But I'm glad you mentioned it. You probably saved me a lot of hair pulling.
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
Ronald: that bug is useful to know about, I've seen it too. Have they said when it'll be fixed?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
I've just rx the update that engineering is still looking at it - ticket#01241795

I'll keep you posted
Photo of Dean Ferraro

Dean Ferraro

  • 712 Points 500 badge 2x thumb
Thanks we are all squared away on this issue. Had an issue with a static route in our firewall and with very little tweaking of our policy rules we were all set. Rolled this out in a partial deployment to 1 building this evening
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
Ronald: 10.11.3 lists wns0016013 "Corrected issue with reporting of user statistics by Access Points, which could result in inadvertent idle timeout of registered devices" which would be two birds with one stone for us.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
"My devices can connect and authenticate to the external captive portal successfully"

The question is whether that information reaches the controller.
Please check the client reports (GUI > Reports > Clients > By VNS) and make sure that the client has the green lock icon on the left (authenticated) and whether the correct role is shown.

If that is correct you'd to a simple ping from the client to see whether it is a DNS issue.
ping google.com and see whether the address resolution is working.....

# ping google.com
Pinging google.com [172.217.20.238] with 32 bytes of data:
Photo of Dean Ferraro

Dean Ferraro

  • 712 Points 500 badge 2x thumb

Ron,


Thanks for the info on 10.11, this was available when advised to upgrade but I was told to only go as far as 10.01 as you have mentioned as well. I just cleared the device from NAC and rejoined it to the ECP. The device is again registered in the Authenticated Guest devices End-System Group on the NAC. I have also checked client report as mentioned and all is again appearing as it should, Green Lock and correct role of Guest. Only unable to ping by address or name and of course without this there is no browsing. I am going to review the rules and try what Steve is using to see if something shakes. Client in use is a windows 7 laptop that connects and works in all other testing but when joined to this guest ECP. Still digging Thanks

Photo of Dean Ferraro

Dean Ferraro

  • 712 Points 500 badge 2x thumb

Ok so we removed the Policy Rules to allow all traffic and isolated the browsing problem to what appears to be a redirection issue.

Additionally we ran a side by side test directly connecting the same laptop to the wire to see if the problem was isolated to the wireless ECP and did locate an issue with a static route in our firewall.

Once corrected we are now able to browse from the wireless ECP (still no policy rules) but continue to get intermittent results. It feels like we are being filtered somehow as some sites can easily be browsed but others are not. Will continue to test and put policy rules back in place to see if anything changes.

Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Sounds like you might be battling a DNS issue. Do your DNS servers have forwarding servers configured? If not that would result in some servers taking forever to be located or not located at all.
Photo of Dean Ferraro

Dean Ferraro

  • 712 Points 500 badge 2x thumb
Thanks wound up being a static route in or Firewall that was the culprit.
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Thanks for circling back with the Hub Community with your resolution Dean.  
Good stuff!
Photo of Dean Ferraro

Dean Ferraro

  • 712 Points 500 badge 2x thumb
Roger. LOL I couldn't figure out how to close this item so I just posted the end result to see if the moderator might close it for me. Have a great day
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Our Community Manager, Drew, will definitely mark the thread solved (he already has), based on your input.  This obviously helps future readers when they find relevant Hub topics on Google or Extreme Search -- http://www.extremenetworks.com/search/#t=All&sort=relevancy.

Since we run such an open community, we never really consider these topics closed. So, seeing the original poster confirm the resolution after a healthy bit of collaboration from some of the Hub's best and brightest, is great.

I know you're relatively new to the Community and we're glad you joined us.  We like how you go about your business and share your knowledge.