04-10-2023 10:18 AM
My customer's captive portal has stopped working. I'm using the controller itself to authenticate, the controller log shows timeout and reason code 8 and sometimes reason code 3. And it doesn't open the captive portal page.
Have you seen this problem?
Solved! Go to Solution.
04-13-2023 08:52 AM
You have a cluster between the 2 NX5500s (primary/standby). Captive portal policy is mapped on both controllers as well as the AP7522.
Please remove the captive portal policy from the AP7522
The firewall is disabled and is required to be enabled for proxy-arp
The NX5500 VLAN 300 is configured as such:
nx5500 40-83-DE-86-3B-88
interface vlan300
description "Guest outside"
ip address 192.168.110.2/23
nx5500 40-83-DE-86-94-C0
interface vlan300
ip address 192.168.110.2/24
Captive portal policy is configured as such:
captive-portal Captive-Caieras
server host 192.168.110.2
server mode centralized
Please reconfigure the captive portal policy server mode to centralized controller, hosting vlan 300, and use a non-resolvable host name (example: wing.cp.com). Just ensure its non-resolvable.
04-11-2023 08:09 AM
Please provide the running-config from the controller.
04-12-2023 05:43 AM
This is resume the running-config the controller
!
! Configuration of NX5500 version 5.9.1.5-001R
!
!
version 2.5
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
no firewall enable
no ipv6 dos multicast-icmpv6
no ipv6 dos hop-limit-zero
no ipv6 dos tcp-intercept-mobility
no stateful-packet-inspection-l2
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
aaa-policy Guest-Caieras
authentication server 1 onboard controller
aaa-policy wms
authentication server 1 onboard self
!
aaa-policy onboard
authentication server 1 onboard controller
!
association-acl-policy bloqueio
deny 38-E3-9F-C5-BA-B3 38-E3-9F-C5-BA-B3 precedence 1
permit 00-00-00-00-00-00 FF-FF-FF-FF-FF-FF precedence 2
!
captive-portal Captive-Caieras
server host 192.168.110.2
server mode centralized
simultaneous-users 2000
webpage internal org-name default
webpage internal org-signature default
webpage internal login description Por favor, entre com Usuario e Senha para ter acesso a Internet
webpage internal login footer Caso voce nao tenha Usuario e Senha, solicite ao responsavel pela sua visita em nossa empresa.
webpage internal login header Bem vindo a Rede Wireless para Visitantes
webpage internal login title Visitantes - Login
webpage internal login org-background-color #006666
webpage internal login body-background-color #003366
webpage internal login body-font-color #ffffff
webpage internal welcome org-background-color #006666
webpage internal welcome body-background-color #003366
webpage internal welcome body-font-color #ffffff
webpage internal fail org-background-color #006666
webpage internal fail body-background-color #003366
webpage internal fail body-font-color #ffffff
webpage internal agreement org-background-color #006666
webpage internal agreement body-background-color #003366
webpage internal agreement body-font-color #ffffff
webpage internal acknowledgement org-background-color #006666
webpage internal acknowledgement body-background-color #003366
webpage internal acknowledgement body-font-color #ffffff
webpage internal registration org-background-color #006666
webpage internal registration body-background-color #003366
webpage internal registration body-font-color #ffffff
webpage internal no-service org-background-color #006666
webpage internal no-service body-background-color #003366
webpage internal no-service body-font-color #ffffff
accounting radius
use aaa-policy Guest-Caieras
webpage internal registration field city type text enable label "City" placeholder "Enter City"
webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan TVAtmo
ssid TVAtmo
vlan 300
bridging-mode tunnel
encryption-type ccmp
authentication-type none
wpa-wpa2 psk 0 TvAtmo
radius vlan-assignment
use association-acl-policy bloqueio
!
wlan WMS
ssid WMS
vlan 301
bridging-mode tunnel
encryption-type ccmp
authentication-type eap
radius vlan-assignment
use aaa-policy wms
!
wlan guest
ssid guest
vlan 300
bridging-mode tunnel
encryption-type none
authentication-type none
use captive-portal Caieras
captive-portal-enforcement
!
smart-rf-policy 5ghz
assignable-power 5GHz max 20
assignable-power 5GHz min 10
assignable-power 2.4GHz max 20
assignable-power 2.4GHz min 10
!
auto-provisioning-policy AP7522
adopt ap7522 precedence 1 profile 7522provi rf-domain Caieiras serial-number 15345522203853
!
radius-group Guest-Caieras
guest
policy ssid guest
!
radius-group coletor
policy ssid WMS
!
radius-user-pool-policy Guest-Caieras
user guest password 0 guest123 group Guest-Caieras guest expiry-time 09:13 expiry-date 04/27/2023 start-time 09:13 start-date 04/12/2023
!
radius-user-pool-policy coletor
user Softys password 0 @2022 group coletor
user coletor password 0 mobile group coletor
user Softys23 password 0 @2023 group coletor
!
radius-server-policy wms
use radius-user-pool-policy Guest-Caieras
use radius-user-pool-policy coletor
chase-referral
!
!
management-policy default
telnet
no http server
https server
no ftp
ssh
user admin password 1 e8bf04275f2b30113a4571e2fcec8ef86e3be13daa6d969b0695288c95bd1134 role superuser access all
user suporte password 1 34d51d5ac804cb884104a1eb6d225832d3ad194bc6bf59bcaebf802e2b8d016a role monitor access all
user webadmin password 1 751f2004b1f4a6e46f5bb061a0c2e96c7a45da63a5c3b76c6506000b58b06a8e role web-user-admin
snmp-server manager v2
snmp-server community 0 private rw
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
ex3500-management-policy default
snmp-server community public ro
snmp-server community private rw
snmp-server notify-filter 1 remote 127.0.0.1
snmp-server view defaultview 1 included
!
ex3500-qos-class-map-policy default
!
ex3500-qos-policy-map default
!
profile nx5500 Caieiras
ip name-server 10.22.17.75
ip name-server 10.22.33.174
ip default-gateway 10.22.16.1
no autoinstall configuration
no autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface ge1
interface ge2
interface ge3
interface ge4
interface ge5
interface ge6
interface vlan1
ip address 10.22.16.150/20
interface pppoe1
use firewall-policy default
service pm sys-restart
router ospf
router bgp
adoption-mode controller
!
rf-domain Caieiras
location Caieiras
timezone America/Sao_Paulo
country-code br
!
rf-domain default
no country-code
!
nx5500 40-83-DE-86-3B-88
use profile Caieiras
use rf-domain Caieiras
hostname nx5500-master
license AAP 3f278ecc7f51c17e836b856fc57dac2ecf4b83e744eb91cf99e391878cbc04eb8671bd061aebef39
license ADSEC DEFAULT-ADV-SEC-LICENSE
mint level 1 area-id 2
mint tunnel-across-extended-vlan
ip name-server 10.22.17.15
ip name-server 10.22.33.1
ip default-gateway 10.22.16.1
device-upgrade auto nx5500 rfs4000 ap82xx ap81xx ap71xx ap650 ap6532 ap6562 ap621 ap6511 ap6521 ap622 ap6522 ap7502 ap7532 ap7562 ap8533 ap8432
use radius-server-policy wms
interface ge1
no cdp receive
no cdp transmit
interface ge2
speed auto
duplex auto
no shutdown
switchport mode access
switchport access vlan 800
interface ge3
speed auto
duplex auto
switchport mode access
switchport access vlan 400
interface ge4
switchport mode access
switchport access vlan 300
interface ge5
switchport mode access
switchport access vlan 301
interface ge6
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,300,400
interface vlan1
ip address 10.22.16.11/20
interface vlan300
description "Guest outside"
ip address 192.168.110.2/23
no ip nat
interface vlan301
ip address dhcp
interface vlan400
ip address dhcp
interface vlan500
ip address dhcp
no use dhcp-server-policy
use captive-portal server Captive-Caieras
cluster name Softys-Cluster
cluster member ip 10.22.16.12
cluster master-priority 250
cluster force-configured-state
ip dns-server-forward
logging on
logging console warnings
logging buffered warnings
!
nx5500 40-83-DE-86-94-C0
use profile Caieiras
use rf-domain Caieiras
hostname nx5500-standby
license AAP 9d7072efa8bf4a16c62b40f0d5203fa497c380d50c5595c58a29c3d278e42b83afe0208bddbe4e6c
license ADSEC DEFAULT-ADV-SEC-LICENSE
use radius-server-policy wms
interface ge2
switchport mode access
switchport access vlan 300
interface ge3
switchport mode access
switchport access vlan 400
interface ge5
switchport mode access
switchport access vlan 301
interface ge6
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,300,400
interface vlan1
ip address 10.22.16.12/20
interface vlan300
ip address 192.168.110.2/24
interface vlan301
ip address dhcp
interface vlan400
ip address dhcp
use captive-portal server Captive-Caieras
cluster name Softys-Cluster
cluster mode standby
cluster member ip 10.22.16.11
!
ap7632 DC-B8-08-72-81-79
use profile default-ap7632
use rf-domain Caieiras
hostname AP-DiretoriaCD
ip default-gateway 10.22.16.1
use radius-server-policy wms
interface radio1
wlan WMS bss 1 primary
wlan guest bss 2 primary
interface vlan1
ip address 10.22.16.203/20
use captive-portal server Captive-Caieras
!
!
end
04-13-2023 08:52 AM
You have a cluster between the 2 NX5500s (primary/standby). Captive portal policy is mapped on both controllers as well as the AP7522.
Please remove the captive portal policy from the AP7522
The firewall is disabled and is required to be enabled for proxy-arp
The NX5500 VLAN 300 is configured as such:
nx5500 40-83-DE-86-3B-88
interface vlan300
description "Guest outside"
ip address 192.168.110.2/23
nx5500 40-83-DE-86-94-C0
interface vlan300
ip address 192.168.110.2/24
Captive portal policy is configured as such:
captive-portal Captive-Caieras
server host 192.168.110.2
server mode centralized
Please reconfigure the captive portal policy server mode to centralized controller, hosting vlan 300, and use a non-resolvable host name (example: wing.cp.com). Just ensure its non-resolvable.
04-11-2023 06:16 AM
Looks like this:
Reason Code 8 Disassoc because STA is leaving BSS
Reason Code 3 Deauth because sending STA is leaving IBSS or ESS