10-25-2018 12:09 AM
Hello.
We are using 802.1X external radius authentication (AD) and external DHCP server (MS). All my access points are only Aerohive, models AP230 and AP1130. Nothing else. All of them are using PoE and supporting two VLANS, one for management and one for the end user wireless network. On all my access points I have the same network policy.
Recently we had to activate CWP for our organization wireless agreement. It is pretty simple. In order to connect and use our wireless network, the end user has to accept the agreement.
I'd say I have three separated issues with CWP in my case and I'm putting them as the most important is on the top and the less on the bottom.
1) Majority of the time, the end user is not getting a popup window regardless of the OS they are using. Usually is a Windows7/10, or OSX, or iOS, or Android. When the end user is not seeing the agreement and they see they are connected to the SSID, they are ending up calling helpdesk and complaining. Our helpdesk is informing them to either go to the CWP web address direct or to go to a random website on Internet and the agreement is showing as a web page. In my case we are talking about thousands of end users. How can I make sure the agreement popups on whatever device is connected to my wireless network?
2) Sometimes people cannot connect. I'm trying to help them personally but no matter what I cannot help them because the agreement is not showing on even after a reboot and deleting the cache. I manage to connect them once for instance and their laptop disconnects and after that I cannot manage to connect them at all. These cases are rare but there are such and I cannot find a pattern. However, if there is no CWP, there is no problem the person to connect to the network.
3) I tried to extend the registration time from 6 hours to one week, so people have to click it only once a week. That didn't work at all and regardless of the settings, the wireless agreement has to be confirmed pretty much every morning, or even sometimes when they move from one access point to another.
I do have a ticket open with AeroHive but I wanted the input of some people that might experienced such issues and they solved them somehow.
Currently I was forced to disable the agreement and left only a test SSID with an agreement so I and the rest of the IT personal can experiment.
Thank you in advance for your answers and time.
George Z
Solved! Go to Solution.
10-26-2018 01:33 PM
Hi George,
2) Yes please, if you can find the client MAC that you are seeing failures on at the time, please select that MAC to troubleshoot, select up to 10 APs that you think that client has a change to connect to during your test, and then retest to see what the client monitor is seeing.
3) Thanks for that screen shot, that helps clear things up. Just to make sure, what I'm understanding the requested functionality to be is that users come in to your network, accept the UPA, connect to the SSID, leave your network at the end of the day, reenter the network at the start of the next day, and connect to your SSID without needing to accept the UPA until a week from the original UPA acceptance. Please let me know if I'm missing anything there, but if that is what we're aiming for I'm sorry to say we aren't going to be able to set that up.
To explain, the registration period you are setting there does indeed set the amount of time between when a user accepts the UPA and when they should be prompted for the UPA agreement again. However, unless your clients are continually connected for the entire registration period you set here, this won't work quite like you want. When the user leaves the network, the APs start a count down (you can adjust these settings in the additional settings of the SSID) and when they reach the end of that count down if the user is still disconnected they remove the client device information for that user from their roaming cache. If the clients data is not in the roaming cache, they will have to go through the CWP as if they were a brand new user on the network, because as far as the APs are concerned, they are a brand new user.
The additional settings I was talking about can be found by going to Configure> Open the Network Policy> Open the SSID> Expand Additional Settings within the SSID> Click CUSTOMIZE next to Optional Settings> Scroll down to the Client Related Network Settings section:
This page will explain what each of these settings will do (it's a long page but you just need the "Client Related Network Settings" section): https://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-ssid-additional-settings.htm?Highlight=Client%20Related%20Network%20Settings
Please let me know if I can clarify anything.
12-28-2018 07:09 PM
This is very annoying.
At other CWPs, such as at a hotel, you can connect your device, leave, connect somewhere else (restaurant), go back to the hotel, and you are still connected, without going through the CWP again.
Aerohive needs a way to allow this. I don't see why not.
10-26-2018 08:20 PM
About 2) I don't have a test environment at the moment because I had to shutdown the general UPA (as you call it) for everybody minus a single test SSID.
I understand 3) completely. Thank you a lot for your detailed explanation. I see why it will not work the way the upped management wants it. Combined with 1), 3) is becoming a hassle. Why?
Because let's say I've an iPhone connected to the wireless network. I'm confirming the UPA and I'm on. Everything works fine. I increase the inactive time to its max of 30 mins. I cannot guarantee I'm going to check my phone in up to 30 minutes every time. So if I exceed 30 mins, I'm automatically disconnected from the AP. OK. I grab the phone and it connects to the WiFi network and I'm getting an indication for that. Great. I don't get a popup window to confirm the agreement, so it looks to me the phone is connected but in reality I'll not get any emails, any imessages, anything network related unless I don't decide to open a browser and start browsing something and then I'll find out I've to accept the UPA.
That will be the situation as well if I step out of the office for more than 30 minutes. We all got used to getting connected to the WiFi automatically once we are in range. In that case it shows connected but I'll have no idea this is not true because no popup.
Now multiply that about 10,000 times because that's the amount of users I've daily on my wireless network... I guess you start feeling my frustration. Our helpdesk is getting slammed with tickets stating "wireless not working". We are talking about an average of 10-20 tickets per minute.
Thank you a lot for all your time explaining me in such details how does the whole thing work. I really appreciate it.
Does anybody know about a third party solution to the issue I'm facing? Something like ForeScout for instance?
Thank you.
10-26-2018 01:33 PM
Hi George,
2) Yes please, if you can find the client MAC that you are seeing failures on at the time, please select that MAC to troubleshoot, select up to 10 APs that you think that client has a change to connect to during your test, and then retest to see what the client monitor is seeing.
3) Thanks for that screen shot, that helps clear things up. Just to make sure, what I'm understanding the requested functionality to be is that users come in to your network, accept the UPA, connect to the SSID, leave your network at the end of the day, reenter the network at the start of the next day, and connect to your SSID without needing to accept the UPA until a week from the original UPA acceptance. Please let me know if I'm missing anything there, but if that is what we're aiming for I'm sorry to say we aren't going to be able to set that up.
To explain, the registration period you are setting there does indeed set the amount of time between when a user accepts the UPA and when they should be prompted for the UPA agreement again. However, unless your clients are continually connected for the entire registration period you set here, this won't work quite like you want. When the user leaves the network, the APs start a count down (you can adjust these settings in the additional settings of the SSID) and when they reach the end of that count down if the user is still disconnected they remove the client device information for that user from their roaming cache. If the clients data is not in the roaming cache, they will have to go through the CWP as if they were a brand new user on the network, because as far as the APs are concerned, they are a brand new user.
The additional settings I was talking about can be found by going to Configure> Open the Network Policy> Open the SSID> Expand Additional Settings within the SSID> Click CUSTOMIZE next to Optional Settings> Scroll down to the Client Related Network Settings section:
This page will explain what each of these settings will do (it's a long page but you just need the "Client Related Network Settings" section): https://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-ssid-additional-settings.htm?Highlight=Client%20Related%20Network%20Settings
Please let me know if I can clarify anything.
10-25-2018 10:50 PM
Hi Sam,
1) Got it.
2) I see a lot of things. What should I look for? That specific user's status?
3) I'm attaching a screenshot: