Re: Android users not getting redirected to ISE captive portal

tmnetsec · ‎05-05-2023

We have recently deployed a wireless guest CWA solution that involves 9800 WLCs, ISE and Checkpoint firewalls. Our topology is

Guest VLAN 100 ->AP->Primary WLC<via mobility>Anchor WLC<>Checkpoint Int4.100 (VLAN interface)

ISE<>Checkpoint Int5

Android users are getting a dhcp IP but are not getting redirected to the ISE portal for guest registration. The issue observed is that the Checkpoint sends a broadcast requesting the IP of the android mac address and does not get a response back from the android. The arp entry on the Checkpoint shows as 'Incomplete' and is eventually removed from the arp cache as the android does not respond to this request. Disabling randomized mac address feature on the android sometimes helps and the user gets the ISE portal, but this is not always the case.

The ISE logs show that it issues the redirect ACL and an essential license is consumed. The guest vlan DHCP scope was configured on the anchor WLC and was later moved to the Checkpoint but the issue persisted.

Other devices like Apple devices, laptops, etc get the captive portal and can connect fine. Out of ideas at the moment.

tmnetsec · ‎05-05-2023

Packet capture on the Checkpoint and the Anchor WLC show the following multiple entries indicating that the android is not replying ARP broadcast from Checkpoint

172.16.157.252 is the DHCP IP assigned to the android & 172.16.157.3 is the Checkpoint gateway.

Show arp command on Checkpoint, which eventually times out as there is no response from the android.

Rich R · ‎05-05-2023

What model of 9800?
What version of software?

Have you looked at the ARP proxy feature?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_arp_proxy.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

tmnetsec · ‎05-05-2023

Foreign WLC is 9800-40 and Anchor WLC is 9800-L. Both running 17.3.6

Yes, I have the arp proxy feature enabled.

Rich R · ‎05-05-2023

I should also have asked what model of AP?

- The wave 2 AP bugs (see Leo's list below) are mostly supposed to be resolved in 17.3.6. Do you also have all the 17.3.6 APSP's installed (if not you should)? 17.3.7 (which includes all the APSP fixes) is also out now but ...
- I'm a bit dubious about all the strange problems like this which people report in 17.3. We never used it - we couldn't go live till 17.6 (needs features which only came after 17.3) and have been on that and 17.9 since and quite stable. 17.3 is now approaching end of life so it might be a good idea to start planning upgrade to 17.6.5 or 17.9.3 anyway and if you're lucky it might even resolve your issue otherwise I think you're heading for a TAC case.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

tmnetsec · ‎05-09-2023

Hi Richard - The AP's are 9130AXE running the 17.3.6.76 code.

tmnetsec · ‎05-09-2023

I have found a workaround. From the android phone's chrome browser, if I manually type the IP address of the Checkpoint (gateway IP), the Checkpoint learns the mac address of the android and then the ISE's portal page opens up in a new window.

Thinking this could be the android phones as the Apple and Windows device can connect without any issues. But the same android phone works in public cafes, hotels, etc without any issues.

Just an FYI, the Checkpoint gateways are running R81.10 with the latest JHF.

tmnetsec · ‎05-10-2023

Do the WLCs forward the broadcast via the capwap tunnel towards the APs/wireless clients? Packet captures on the anchor and foreign WLC show that the broadcast is received from the Checkpoint but I cannot tell whether the broadcast is being forwarded towards the AP and wireless clients.

Is there any way I can do a capture on the AP to see the arp broadcast? Cant find any software which does packet captures on android.

SPCNET soluciones de negocio electronico · ‎07-04-2023

We have similar problem (android, widows,..), client does not receive DNS replays from DNS server, so no any web authentication page is open. As initial workarround we enabled "passive client" for the involved Policy. Cisco is working on a solution.

klausi · ‎11-06-2023

Did you find any solution other then typing the IP address ? We have the exact same situation with Checkpoint Gateway and no redirect to ISE Guestportal only for Android devices.

BR and Thanks!