Captive Portal Troubleshooting - Basic

Captive Portal Troubleshooting

We will be covering the following frequently customer-reported Captive Portal
Issues:
• Pre-Registration: User is never redirected to or presented the captive
portal page to login/register.
• Post Registration: User was presented the captive portal page and was
able to register, however, after submitting the registration, the page
remains on a “Network Registration in progress…” page.

Note: The Captive Portal server will be referred to as a NAC, but the contents
are applicable to any Captive Portal server

2 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Correct Role assigned
Issue 1: User is never redirected to or presented the captive portal page to
login/register.
In order for the Captive Portal experience to function properly, the user must have
the correct Role assigned. The correct Role will always be “Unregistered role for
[networkname]”. In the example below with a WLAN of “Training”, the Role that
will be assigned is “Unregistered role for Training”. If it shows as “Unregistered” or
any other Role, this is incorrect
1. To verify they have the correct role, go to Monitor -> Clients and search for the
user.

3 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Correct Role assigned (cont.)
“Unregistered role for [networkname]” is a system-created Role and will not be
visible in the GUI. It is created automatically when “Enable Captive Portal” is
enabled under the WLAN.

4 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Correct role assigned (cont.)
2. If the user does not have “Unregistered role for [networkname]”,
then verify the XCC is receiving the correct Filter-ID and Login-LAT-
Port from the NAC within the RADIUS Accept packet.

The correct values are:

Filter-ID: Enterasys:version=1:policy=Unregistered role for Training
Login-LAT-Port: 0

5 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Correct role assigned (cont.)
3. Verify these values in a packet capture by starting a TCPDump from the
XCC/XIQC GUI (Tools -> Diagnostics -> TCPDump Management) as seen below
(left). Ask the user to connect, then stop and review the packet capture. If the
NAC is configured correctly, within the RADIUS Accept packet for the user, the
contents should show as the correct values (right):

Select the
management
interface, and
not “Admin”

6 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Network Connectivity to Captive Portal
4. Once the user is receiving the correct Role, verify if we can manually connect
to the NAC (also referred to as “direct-dialing”). This will help identify if it is a
redirect issue with the XCC / XIQC or a network related issue.
Take the URL from the “ECP URL” field and manually enter it into the URL bar
on the user device

7 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Network Connectivity to Captive Portal (cont.)
If there is network connectivity to the NAC, the Captive Portal will load; otherwise,
an error will display.

8 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Network Connectivity to Captive Portal (cont.)
If the user can direct-dial the Captive Portal, but is not redirected, along with using
a B@AC Topology, which is assigned as the Default VLAN under the WLAN, the
topology must have a Layer 3 (L3) presence for the redirect component to
function.
5. From within the “Training” WLAN, locate “Default VLAN” at the bottom of the
window and click the edit icon.

9 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Network Connectivity to Captive Portal (cont.)
6. Verify the VLAN/Topology shows a Layer 3 presence.

The IP address of 10.0.250.6 under Remote Settings represents the IP address of the
topology on the other controller in the availability pair.
10 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Pre-Registration: Network Connectivity to Captive Portal (cont.)
If the user cannot direct-dial the NAC, try to ping the NAC. The “Unregistered role
for [networkname]” has an Allow /32 Rule for the IP/FQDN defined in the ECP URL
under the WLAN, so the user should be able to ping it. If they cannot, escalate to
the next level of support.
If the ECP URL is a FQDN instead of an IP as shown below, there could be an issue
with DNS.

11 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Pre-Registration: Network Connectivity to Captive Portal (cont.)
On the client device, execute “nslookup” on the value within the ECP URL.
If it does not resolve, then there could be an issue with DNS.
As a test, replace the ECP URL with the IP of the NAC and see if the
process works properly. If so, there is an issue with DNS that needs to be
investigated.
Note: If a FQDN is in the ECP URL, pinging the IP of the NAC will not work
as there will be a Layer 7 Allow for the FQDN and no longer the Allow /32
for the IP.

12 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Post Registration: Correct Role
Issue 2: User was presented the captive portal page and was able to register,
however, after submitting the registration, the page remains on a “Network
Registration in progress…” page and the progress animation spins indefinitely.
After submitting the registration, verify we have received the correct Role. The
most common Auth Role is “Guest Access” or “Enterprise User”, but it’s up to the
customer on how it was configured.
The Auth Role will never be “Unregistered role for [networkname]”. As done for the
Non-Auth (Unregistered) state, check both the Client report and the RADIUS CoA
Request packet.

13 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Post Registration: Correct Role (cont.)

Look at the packet capture. We see

the RADIUS CoA Request from the
NAC for the client has the correct
Filter-ID
(Enterasys:version=1:policy=Guest
Access)
and Login-LAT-Port (1) along with
the XCC responding with RADIUS
CoA ACK.

14 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Post Registration: Role Assigned to AP Profile
1. Verify the role exists by checking under
Configure -> Policy -> Roles
We see that the Guest Access role has
been created and does exist on the
XCC/XIQC.

15 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Post Registration: Role Assigned to AP Profile (cont.)
2. Verify the RADIUS Accept
contains the correct Filter-
ID. If the Role is still not
assigned, verify that it is
enabled under the AP
Profile.
3. Go to Configure -> Sites
(and select the one in use) -
> Device Groups (select the
one in use) -> Edit the AP
Profile and navigate to the
Roles tab.

16 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.

Post Registration: Allow Rule for NAC (and DNS)
The user has received the correct Role,
yet the webpage shows “Network
Registration in progress…” with a
progress animation that never
completes. Also, if the client opens a
new browser tab, they are able to
navigate the Internet.
Sometimes, the customer’s Auth Role
(especially for Guest networks) blocks all
the private IP subnets. The client still
needs to communicate to NAC after
authenticating for this page to
complete. The Rules within the Role
read top-down like an ACL, so an Allow
must be added for the NAC IP before the
Denys. If the DNS server is internal, an
Allow for that is needed as well.
17 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.
Post Registration: Allow Rule for NAC (and DNS) (cont.)

4. To add these rules, go to the

Roles (Configure -> Policy ->
Roles) and select the Auth
Role (Guest Access in this
example) and add Allow for
NAC and DNS.

You’ll then see that NAC and

DNS show as Allowed under
the Auth Role of Guest
Access.

18 CONFIDENTIAL. ©EXTREME NETWORKS, INC. ALL RIGHTS RESERVED.