View Only

 security-object [SSID] security additional-auth-method captive-web-portal

Markus Ottmann's profile image
Markus Ottmann posted 03-16-2022 06:55
Hi community,

does anyone have an idea what causes the above entry in the configuration of an AP510C?
This results in showing a CWP after connecting with a PPSK, even though there is no additional CWP configured or enabled and we don´t want that yet.
After removing this command via the CLI the CWP did not appear. But the entry comes back after AP restart or configuration update via XIQ.

Best regards
Sam Pirok's profile image
Sam Pirok
Hi Markus, thanks for the details here. Would you be able to add me as an external admin to your VIQ instance temporarily so I can check the current set up to see if I can find what is causing that issue? This guide reviews how to add an external admin, if you could please add me with the email spirok@extremenetworks.com, that would be great. 

I'll also need to know your organization name so I can find your instance in the list of instances I have access to. You can find your organization name in the Global Settings of XIQ> Account Details> Scroll down to the Organization Information section and the organization name should be the first thing listed here. 

Please also let me know what network policy to look at if you have more than one made currently. 

If you'd rather send the VIQ information to me directly, please feel free to email me at the email above or community@extremenetworks.com.
Don E's profile image
Don E
We have the same issue that started around 3-11/3-15-22 timeline. It has been added to the delta config for all (approx. 5800) of our AP's ( models 230, 250, 1130, 410C and 460C) that include the PPSK SSID which has mostly user keys with the database location in the cloud as opposed to local. We have a GTAC case open. Right now I manually correct with the CLI [no ...command] and save conf. I could add to the sup CLI, but that's a patch.
Thank you
Mike Coughlin's profile image
Mike Coughlin
Hello Markus,

 This issue can appear when we configure a PPSK SSID that contains PPSK groups using both Local and Service user databases. Supported configuration is to use PPSK groups of only one type or the other per SSID. Generally speaking Service or cloud based credentials are a bit more convenient. 

-Mike Coughlin
Don E's profile image
Don E
Good morning Mike,

This is a new issue with XIQ Pilot. I have been using the same SSID with Local and Cloud DB's since 10-1-21 with no ill effects until last week.
Something changed.

Markus Ottmann's profile image
Markus Ottmann
Update: Our reseller have a statement from GTAC​. They told us

... that the bug has been filed with high priority ... 

and we have to workaround this issue with supplemental CLI commands, which also does not work correctly.

I am excited about the next XIQ update.
Don E's profile image
Don E
Good News, We got a message back from our case number that this issue would be address with the XIQ (ia-gcp instances) update.
Extreme message: "Hi Don, it looks like 22.3 is scheduled to go live the week of 05/01/2022 - 05/08/2022. I will let you know if that changes." 

For us, Our work around after an update with the CLI "No" command plus a "save config" works, but I can't update again because the XIQ believes that command should be in the AP and puts it back into the delta automatically.

Looking forward for this to be fixed too.
Markus Ottmann's profile image
Markus Ottmann
After the last XIQ update we deployed the new firmware implementing a complete configuration update to one access point. The command "security-object [SSID name] security additional-auth-method captive-web-portal" still persists in the configuration but with no side effects. None of the PPSK clients were facing with an additional CWP authorization.
Anthony Watkins's profile image
Anthony Watkins
We've just started having this issue at my workplace now too. We've a public WiFi with no web portal that suddenly (at least to devices running Android) now has a portal to get through. I've verified in XCC that no such config is in place. Just wanted to raise my hand and say I'm seeing this too.