Wing 5.8, RFS7000, AP7532. Users disconnect and are asked to login again.

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Hello,

I'm learning about as much wireless network as zebra equipments and I configured one network with 2 ssid. After a long time I finally made it. The users connect on both SSID, they go to internet and so on, but sometimes, during not only roaming, they are disconnected and the system ask for another authentication via Captive Portal.

What could be wrong?
Thanks a lot.

!
! Configuration of RFS7000 version 5.8.4.0-034R
!
!
version 2.5
!
!
client-identity-group default
 load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
 permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
 permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
 deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
 deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
 deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
 permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
 permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
aaa-policy esaf01_AAA
 authentication server 1 onboard controller
 authentication server 1 proxy-mode through-controller
 authentication server 1 dscp 46
 accounting server 1 onboard controller
!
aaa-policy esaffuncionarios
 authentication server 1 host 10.10.10.40 secret 0 XXXXXXXXXXX
 authentication server 1 proxy-mode through-controller
 accounting server 1 host 10.10.10.40 secret 0 XXXXXXXXXXX
 accounting server 1 proxy-mode through-controller
!
dns-whitelist dns_listabranca
 permit XXXXXXXXXXX.gov.br suffix
!
captive-portal Portal
 access-time 720
 inactivity-timeout 21600
 server host 10.195.40.10
 server mode centralized
 simultaneous-users 2000
 webpage internal org-name ESAF
 webpage internal org-signature ESAF
 webpage internal login footer Entre em contato com o administrador caso encontre algum problema.
 webpage internal login main-logo XXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal login org-background-color #ffffff
 webpage internal login org-font-color #003300
 webpage internal login body-background-color #ffffff
 webpage internal welcome main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal welcome title Seja bem vindo
 webpage internal fail header O acesso foi negado.
 webpage internal fail main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal fail title Falha
 webpage internal agreement header Seja bem vindo
 webpage internal agreement main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal agreement title ESAF
 webpage internal acknowledgement main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal registration description Por favor encontre um momento para registrar-se.
 webpage internal registration header Bem vindo
 webpage internal registration main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal no-service main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 accounting radius
 use aaa-policy esaf01_AAA
 use dns-whitelist dns_listabranca
 webpage internal registration field city type text enable label "City" placeholder "Enter City"
 webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
 webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
 webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
 webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
 webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
 webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
 webpage internal registration field email type e-address enable mandatory label "Email" placeholder
 webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
captive-portal PortalFuncionario
 access-time 720
 inactivity-timeout 21600
 server host 10.195.37.2
 server mode centralized
 simultaneous-users 200
 webpage internal org-name ESAF
 webpage internal org-signature ESAF
 webpage internal login description Conecte-se com nome e senha
 webpage internal login footer Conecte-se com nome e senha
 webpage internal login header Conecte-se com nome e senha
 webpage internal login main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal login main-logo use-as-banner
 accounting radius
 use aaa-policy esaffuncionarios
 use dns-whitelist dns_listabranca
 webpage internal registration field city type text enable label "City" placeholder "Enter City"
 webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
 webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
 webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
 webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
 webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
 webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
 webpage internal registration field email type e-address enable mandatory label "Email" placeholder
 webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan ESAF-01
 description ESAF-Visitantes
 shutdown
 ssid ESAF-Visitantes
 vlan 2074
 bridging-mode local
 encryption-type none
 authentication-type none
 no fast-bss-transition over-ds
 use captive-portal Portal
 captive-portal-enforcement
 ip dhcp trust
!
wlan ESAFFuncionarios
 description ESAF-Servidores
 ssid ESAF-Funcionarios
 vlan 2075
 bridging-mode local
 encryption-type none
 authentication-type none
 wireless-client inactivity-timeout 21600
 wireless-client cred-cache-ageout 43200
 wireless-client vlan-cache-ageout 43200
 use aaa-policy esaffuncionarios
 use captive-portal PortalFuncionario
 captive-portal-enforcement
 relay-agent dhcp-option82
!
wlan ESAFVISITANTES
 ssid ESAF-Visitantes
 vlan 2074
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 wireless-client inactivity-timeout 21600
 wireless-client cred-cache-ageout 43200
 wireless-client vlan-cache-ageout 43200
 wing-extensions move-command
 wing-extensions scan-assist
 wing-extensions ft-over-ds-aggregate
 use aaa-policy esaf01_AAA
 use captive-portal Portal
 captive-portal-enforcement
!
smart-rf-policy smartrfbasico
 group-by area
!
auto-provisioning-policy aps-7532
 adopt ap7532 precedence 1 profile AP-7532 rf-domain RF-SERPRO any 
!
radius-group Esaf01
 guest
 policy vlan 2074
 policy ssid ESAF-Visitantes
 policy day mo
 policy day tu
 policy day we
 policy day th
 policy day fr
 policy day sa
 policy day su
!
radius-group Esaf02
 policy vlan 2074
!
radius-group helpdesk
 policy access web
 policy role helpdesk
!
radius-user-pool-policy visitante
 user Esaf password 0 esaf group Esaf02
 user helpdesk password 0 helpdesk group helpdesk
 user esaf password 0 esaf group Esaf02
!
radius-server-policy radius-esaf
 use radius-user-pool-policy visitante
 use radius-group Esaf01
!
dhcp-server-policy DHCP-ESAF
 dhcp-pool ESAF-VISITANTES
  network 10.195.40.0/22
  address range 10.195.40.50 10.195.43.254
  lease 0 14 26 40
  default-router 10.195.40.1
  dns-server  200.198.205.242 161.48.25.38
 dhcp-pool ge
  network 192.168.0.0/24
  address range 192.168.0.100 192.168.0.120
 dhcp-pool ESAF
  network 10.195.37.0/24
  address range 10.195.37.10 10.195.37.254
  lease 0 14 26 40
  default-router 10.195.37.1
  dns-server  200.198.205.242 161.48.25.38
 dhcp-pool APS
  network 10.195.11.0/24
  address range 10.195.11.111 10.195.11.130
  default-router 10.195.11.1
  dns-server  10.12.1.16
!
!
management-policy default
 telnet
 no http server
 https server
 ssh
 user admin password 1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx role superuser access all
 user teste password 1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx role web-user-admin
 user helpdesk password 1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx role helpdesk access web
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 senha00
 snmp-server user snmpmanager v3 encrypted des auth md5 0 senha00
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
 idle-session-timeout 300
!
ex3500-management-policy default
 snmp-server community public ro
 snmp-server community private rw
 snmp-server notify-filter 1 remote 127.0.0.1
 snmp-server view defaultview 1 included
!
ex3500-qos-class-map-policy default
!
ex3500-qos-policy-map default
!
l2tpv3 policy default
!
profile rfs7000 default-rfs7000
 bridge vlan 100
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 ip default-gateway 10.195.40.1
 autoinstall configuration
 autoinstall firmware
 use radius-server-policy radius-esaf
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface me1
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  switchport trunk native tagged
  switchport trunk allowed vlan 1,100
 interface ge2
  switchport mode access
  switchport access vlan 100
 interface ge3
 interface ge4
 interface vlan1
  description Esaf01
 interface pppoe1
 use dhcp-server-policy DHCP-ESAF
 use firewall-policy default
 use auto-provisioning-policy aps-7532
 use captive-portal server Portal
 logging on
 service pm sys-restart
 router ospf
!
profile ap8533 default-ap8533
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface bluetooth1
  shutdown
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
 router ospf
!
profile ap82xx default-ap82xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
 router ospf
!
profile ap81xx default-ap81xx
 autoinstall configuration
 autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface radio3
 interface bluetooth1
  shutdown
 interface ge1
 interface ge2
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  ip dhcp client request options all
 interface wwan1
 interface pppoe1
 use firewall-policy default
 use client-identity-group default
 logging on
 service pm sys-restart
 router ospf
!
profile ap7532 AP-7532
 bridge vlan 1
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 bridge vlan 10
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 bridge vlan 100
  use captive-portal Portal
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 ip name-server 10.12.1.16
 ip name-server 8.8.8.8
 ip name-server 4.2.2.2
 ip default-gateway 10.195.40.1
 no autoinstall configuration
 no autoinstall firmware
 use radius-server-policy radius-esaf
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  wlan ESAF-01 bss 1 primary
  wlan ESAFVISITANTES bss 2 primary
  wlan ESAFFuncionarios bss 3 primary
 interface radio2
  wlan ESAF-01 bss 1 primary
  wlan ESAFVISITANTES bss 2 primary
  wlan ESAFFuncionarios bss 3 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  switchport trunk native tagged
  switchport trunk allowed vlan 1,11,2074-2075
 interface vlan1
 interface vlan11
  description Gerencia
  ip address dhcp
 interface vlan2074
  description Vlan_rede_visitantes
 interface vlan2075
  description Vlan_rede_funcionarios
 interface pppoe1
 use dhcp-server-policy DHCP-ESAF
 use firewall-policy default
 use captive-portal server Portal
 use captive-portal server PortalFuncionario
 logging on
 controller host 10.195.11.100 pool 1 level 1
 service pm sys-restart
 router ospf
!
profile ap7532 PROFILE-AP7532
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
 interface radio2
 interface ge1
 interface vlan11
  ip address dhcp
 interface pppoe1
 use firewall-policy default
 controller host 10.195.11.100
 service pm sys-restart
 router ospf
!

rf-domain RF-SERPRO
 location ESAF
 contact Serpro
 timezone America/Sao_Paulo
 country-code br
 use smart-rf-policy smartrfbasico
 controller-managed
!
rfs7000 5C-0E-8B-1A-45-26
 use profile default-rfs7000
 use rf-domain RF-SERPRO
 hostname rfs7000-1A4526
 layout-coordinates 3.0 2.5
 license AP 65b47071ef2b3f0237c8f5ff63b4589f1cff782846631007ef3878466f287e8a4745e462a14cae5d
 ip default-gateway 10.195.11.1
 interface me1
  ip address dhcp
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  switchport trunk native tagged
  switchport trunk allowed vlan 1,10-11,2074-2075
 interface ge2
  switchport mode access
  switchport access vlan 11
 interface vlan1
  ip address 192.168.10.1/24
 interface vlan11
  description Gerencia
  ip address 10.195.11.100/24
 interface vlan2074
  description wifi_visitantes
  ip address 10.195.40.10/22
 interface vlan2075
  description wifi_funcionarios
  ip address 10.195.37.2/24
 logging syslog debugging
!
ap7532 74-67-F7-03-26-44
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-032644
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-26-48
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-032648
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  switchport trunk native tagged
  switchport trunk allowed vlan 1,11,2074-2075
 controller host 10.195.11.100 pool 1 level 1
 controller vlan 11
!
ap7532 74-67-F7-03-26-9C
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-03269C
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-26-A4
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0326A4
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-26-B4
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0326B4
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-28-78
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-032878
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-28-B0
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0328B0
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-28-D8
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0328D8
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-37-18
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033718
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-37-1C
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-03371C
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-37-20
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033720
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-37-C0
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0337C0
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-37-E0
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0337E0
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-37-E8
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-0337E8
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-38-08
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033808
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-38-34
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033834
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-38-54
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033854
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-38-80
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033880
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-3D-BC
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033DBC
 controller host 10.195.11.100 pool 1 level 1
!
ap7532 74-67-F7-03-3E-F0
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-033EF0
 interface vlan11
  ip address 10.195.11.110/24
 controller host 10.195.11.100 pool 1 level 1
!
!
end



AP7532

!
! Configuration of AP7532 version 5.8.4.0-034R
!
!
version 2.5
!
!
ip snmp-access-list default
 permit any
!
firewall-policy default
 no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
wlan-qos-policy default
 qos trust dscp
 qos trust wmm
!
radio-qos-policy default
!
aaa-policy esaf01_AAA
 authentication server 1 onboard controller
 authentication server 1 proxy-mode through-controller
 authentication server 1 dscp 46
 accounting server 1 onboard controller
!
aaa-policy esaffuncionarios
 authentication server 1 host 10.10.10.40 secret 0 XXXXXXXXXXXXXXXXXX
 authentication server 1 proxy-mode through-controller
 accounting server 1 host 10.10.10.40 secret 0 XXXXXXXXXXXXXXXXX
 accounting server 1 proxy-mode through-controller
!
dns-whitelist dns_listabranca
 permit XXXXXXXXXXXXX suffix
!
captive-portal Portal
 access-time 720
 inactivity-timeout 21600
 server host 10.195.40.10
 server mode centralized
 simultaneous-users 2000
 webpage internal org-name ESAF
 webpage internal org-signature ESAF
 webpage internal login footer Entre em contato com o administrador caso encontre algum problema.
 webpage internal login main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal login org-background-color #ffffff
 webpage internal login org-font-color #003300
 webpage internal login body-background-color #ffffff
 webpage internal welcome main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal welcome title Seja bem vindo
 webpage internal fail header O acesso foi negado.
 webpage internal fail main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal fail title Falha
 webpage internal agreement header Seja bem vindo
 webpage internal agreement main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal agreement title ESAF
 webpage internal acknowledgement main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal registration description Por favor encontre um momento para registrar-se.
 webpage internal registration header Bem vindo
 webpage internal registration main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal no-service main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 accounting radius
 use aaa-policy esaf01_AAA
 use dns-whitelist dns_listabranca
 webpage internal registration field city type text enable label "City" placeholder "Enter City"
 webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
 webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
 webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
 webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
 webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
 webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
 webpage internal registration field email type e-address enable mandatory label "Email" placeholder "youdomain.com"
 webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
captive-portal PortalFuncionario
 access-time 720
 inactivity-timeout 21600
 server host 10.195.37.2
 server mode centralized
 simultaneous-users 200
 webpage internal org-name ESAF
 webpage internal org-signature ESAF
 webpage internal login description Conecte-se com nome e senha
 webpage internal login footer Conecte-se com nome e senha
 webpage internal login header Conecte-se com nome e senha
 webpage internal login main-logo XXXXXXXXXXXXX.br/imagens/logoesafidg.jpg
 webpage internal login main-logo use-as-banner
 accounting radius
 use aaa-policy esaffuncionarios
 use dns-whitelist dns_listabranca
 webpage internal registration field city type text enable label "City" placeholder "Enter City"
 webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
 webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
 webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
 webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
 webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
 webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
 webpage internal registration field email type e-address enable mandatory label "Email" placeholder "youdomain.com"
 webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan ESAF-01
 description ESAF-Visitantes
 shutdown
 ssid ESAF-Visitantes
 vlan 2074
 bridging-mode local
 encryption-type none
 authentication-type none
 no fast-bss-transition over-ds
 use captive-portal Portal
 captive-portal-enforcement
 ip dhcp trust
!
wlan ESAFFuncionarios
 description ESAF-Servidores
 ssid ESAF-Funcionarios
 vlan 2075
 bridging-mode local
 encryption-type none
 authentication-type none
 wireless-client inactivity-timeout 21600
 wireless-client cred-cache-ageout 43200
 wireless-client vlan-cache-ageout 43200
 use aaa-policy esaffuncionarios
 use captive-portal PortalFuncionario
 captive-portal-enforcement
 relay-agent dhcp-option82
!
wlan ESAFVISITANTES
 ssid ESAF-Visitantes
 vlan 2074
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 wireless-client inactivity-timeout 21600
 wireless-client cred-cache-ageout 43200
 wireless-client vlan-cache-ageout 43200
 wing-extensions move-command
 wing-extensions scan-assist
 wing-extensions ft-over-ds-aggregate
 use aaa-policy esaf01_AAA
 use captive-portal Portal
 captive-portal-enforcement
!
smart-rf-policy smartrfbasico
 group-by area
!
radius-group Esaf01
 guest
 policy vlan 2074
 policy ssid ESAF-Visitantes
 policy day mo
 policy day tu
 policy day we
 policy day th
 policy day fr
 policy day sa
 policy day su
!
radius-group Esaf02
 policy vlan 2074
!
radius-group helpdesk
 policy access web
 policy role helpdesk
!
radius-user-pool-policy visitante
 user Esaf password 0 esaf group Esaf02
 user helpdesk password 0 helpdesk group helpdesk
 user esaf password 0 esaf group Esaf02
!
radius-server-policy radius-esaf
 use radius-user-pool-policy visitante
 use radius-group Esaf01
!
dhcp-server-policy DHCP-ESAF
 dhcp-pool APS
  network 10.195.11.0/24
  address range 10.195.11.111 10.195.11.130
  default-router 10.195.11.1
  dns-server  10.12.1.16
 dhcp-pool ge
  network 192.168.0.0/24
  address range 192.168.0.100 192.168.0.120
 dhcp-pool ESAF
  network 10.195.37.0/24
  address range 10.195.37.10 10.195.37.254
  lease 0 14 26 40
  default-router 10.195.37.1
  dns-server  200.198.205.242 161.48.25.38
 dhcp-pool ESAF-VISITANTES
  network 10.195.40.0/22
  address range 10.195.40.50 10.195.43.254
  lease 0 14 26 40
  default-router 10.195.40.1
  dns-server  200.198.205.242 161.48.25.38
!
!
management-policy default
 telnet
 no http server
 https server
 no ftp
 ssh
 user admin password 1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX role superuser access all
 user teste password 1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX role web-user-admin
 user helpdesk password 1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX role helpdesk access web
 snmp-server community 0 private rw
 snmp-server community 0 public ro
 snmp-server user snmptrap v3 encrypted des auth md5 0 senha00
 snmp-server user snmpmanager v3 encrypted des auth md5 0 senha00
 idle-session-timeout 300
!
profile ap7532 AP-7532
 bridge vlan 1
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 bridge vlan 10
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 bridge vlan 100
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 ip name-server 10.12.1.16
 ip name-server 8.8.8.8
 ip name-server 4.2.2.2
 ip default-gateway 10.195.40.1
 no autoinstall configuration
 no autoinstall firmware
 use radius-server-policy radius-esaf
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  wlan ESAF-01 bss 1 primary
  wlan ESAFVISITANTES bss 2 primary
  wlan ESAFFuncionarios bss 3 primary
  max-clients 256
 interface radio2
  wlan ESAF-01 bss 1 primary
  wlan ESAFVISITANTES bss 2 primary
  wlan ESAFFuncionarios bss 3 primary
  max-clients 256
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  switchport trunk native tagged
  switchport trunk allowed vlan 1,11,2074-2075
 interface vlan1
 interface vlan11
  description Gerencia
  ip address dhcp
 interface vlan2074
  description Vlan_rede_visitantes
 interface vlan2075
  description Vlan_rede_funcionarios
 interface pppoe1
 use dhcp-server-policy DHCP-ESAF
 use firewall-policy default
 use captive-portal server Portal
 use captive-portal server PortalFuncionario
 rf-domain-manager capable
 logging on
 controller host 10.195.11.100 pool 1 level 1
 service pm sys-restart
 router ospf
!
rf-domain RF-SERPRO
 location ESAF
 contact Serpro
 timezone America/Sao_Paulo
 country-code br
 use smart-rf-policy smartrfbasico
 controller-managed
!
ap7532 74-67-F7-03-26-44
 use profile AP-7532
 use rf-domain RF-SERPRO
 hostname ap7532-032644
 controller host 10.195.11.100 pool 1 level 1
!
!
end

Photo of Vankman

Vankman

  • 112 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Alona

Alona, Employee

  • 1,770 Points 1k badge 2x thumb
You have defined vlan 2074 both as local and tunneled - that's not supported. You are creating loops. Local VLANs - bridged at the AP. Tunnel VLANs are going to the controller and switched there. 
Photo of Vankman

Vankman

  • 112 Points 100 badge 2x thumb
Hello Alona,
This is a problem, even if the first wlan is set to SHUTDOWN?
Thank you for the answer.
Photo of Christopher Frazee

Christopher Frazee, Employee

  • 2,258 Points 2k badge 2x thumb
You need to make the following change on the guest WLAN to match the inactivity-timeout on the captive portal:

Current Captive Portal config> inactivity-timeout 21600 (in seconds)
What the WLAN requires> wireless-client hold-time 21600 (in seconds)

This should resolve your current issue. 
Photo of Vankman

Vankman

  • 112 Points 100 badge 2x thumb
I will do it and post the result. Thank you!