Wireless Client Disconnects After Captive Portal Registration

Userlevel 5

This is probably a checkbox somewhere I can't find, but the symptom is that whenever a wireless client finishes the captive portal registration process for Guest Web Registration, it will disconnect the client and will not reconnect until I drop-out of the auto client pop-up, and then re-select the SSID again? It will then connect as it should and the correct NAC rule is applied prior to the disconnect?

The IP address is the same when unregistered as registered, just the registered device gets a policy that allows all, whereas the unregistered is redirect to NAC. The unregistered and registered policy both have the same contain to VLAN configuration.

The set up for the Guest VNS is B@EWC which goes out of the second eth port on the virtual wireless controller. This port is tied to an internet only vSwitch that's connected to the internet firewall and the second eth port on the NAC.

The wireless controller is running version

Not sure if anyone has had the same problem?

Many thanks in advance.

7 replies

Userlevel 6
Hey Martin,

As long as the client's IP address doesn't change between Unregistered and Registered you may be able to use CoA and prevent any wireless disconnect.

In NAC Manager --> Tools --> Management and Configuration --> Advanced Configuration --> Global and Appliance Settings --> Appliance Settings --> Default

In the "Reauthentication" tab edit the Extreme Identifi Wireless RFC 3576 configuration and make sure "Supports Change of Authorization" is checked.

With CoA NAC will send a CoA request instead of a "Disconnect' request to the controller on registration and there should be a policy swap instead of a disconnect and subsequent re-authentication to get the new policy.

This mechanism doesn't work well in any scenario where the end-system IP address moves from one network to another. The policy swap will perform a dynamic policy swap, so if the client gets an IP address in VLAN A and moves to VLAN B the client will have the wrong IP address in the new VLAN. The "Disconnect" mechanism causes the end system to perform DHCP again.

Userlevel 5
I believe you are having timing issue. Please make sure that both - wireless controller and NAC are 100% in sync in terms of NTP . You can run ‘ntpq -p’ command on NAC as well as ‘date’ to make sure the time is good. On controller -just check the current time in GUI , it should be exactly match the time on NAC. Other things mentioned by Ryan is also good thing to check - CoA and that client are not moving between different VLANs feom non-auth to auth state.
Userlevel 5
Thanks for your posts.

Double checked the times on all the devices i.e both NAC's, EWC, NetSight and Switches. All are in perfect sync having used NTP.

Below is a screenshot of what I believe is the configuration outlined above but it looks like CoA is already enabled?

NAC Version is

Assume I'm in the right place?

Userlevel 4
Can you check if you hava inter-wlan roaming enabled..if yes disable it. So that the new policy can take place without new association. Rgds Umut
Userlevel 5

Just to let you know inter-wlan roaming was enabled but it didn't unfortunately resolve the issue when disabled.

When going through the registration process, the moment you select the 'Complete Registration' you can see the end-system in NAC change immediately to the new rule with the allow policy.

I had been using the AutoLogin client, which just gets you as far as displaying "Network Registration In Progress", and you never get the WiFi bars until you drop out and then re-select the SSID.

I turned off AutoLogin and get exactly the same thing, where your stuck at 'Network Registration in Progress' but this time you have the WiFi bars. If you then put in google it will go there.

So I don't think the problem now is the fact that it is perhaps getting a disconnect, it might be to do with the fact the Guest Device is essentially connected to a network complete separate from the internal network (eth1 on EWC) and some communication isn't happening between the guest wireless device and NAC possibly?
Userlevel 6
Does the client have connectivity to the NAC once it's moved into the Guest Registration role?

When the client is at the "Network Registration in progress" page it's continuously attempting to contact the NAC. Once it's been re-authenticated, and it contacts the NAC, NAC will run it through a rules evaluation to confirm the transition has occurred and then will send the registration success page.

If the client doesn't have http/https connectivity to NAC after transition this will not occur and the client will be stuck at Registration in Progress.

You can also try the captive portal "Redirect immediately" option in the NAC Captive portal "Network Settings" section. This makes it so instead of contacting the NAC it will try to hit the googlefav icon site configured, and once it can get out it will skip the "registration success" page and hit either the URL configured, or URL from the client, depending on what you have configured.

Userlevel 5
Nice one.... the reason why this forums so good, even on a Sunday too!

So many great ideas, all worth checking off and the latter that did the trick - the 'redirect immediately' works for me in this particular scenario.

Many thanks for all the support and all the knowledgeable posts.