Captive Portal will not work after supplicant fail

jonha134 · Post by **jonha134** » 11 Sep 2012 08:53

We have enabled 802.1x on our 6850 switch. Domain clients are authenticated using PEAP-TLS with client certificates. However we want to provide Internet access to visitors using Captive Portal. It works fine if they have the Wired Autoconfig service turned off (i.e. the 802.1x agent on Win clients). If they have the service turned on because they use 802.1x at somewhere else, the switch will of course try to authenticate them directly (which will fail since they are not domain members). We believe we have configured the switch to redirect users to captive portal if the 802.1x authentication fails, but it apperas as if the client will not get an DHCP address (the IPv4 autoconfiguration address appears and the client will not be redirected).

here are the specific commands we think should do the trick

Code: Select all

802.1x 1/x supplicant policy authentication fail captive-portal

But why does'nt the client get an CP DHCP address after fail?

The Radius logs tells me "Network Policy Server denied access to a user."
Wireshark tells me that the Radius server answers with code 3 "Access-Reject"

Here is the entire configuration:

Code: Select all

Welcome to the Alcatel-Lucent OmniSwitch 6000
Software Version 6.4.2.807.R01 GA, August 27, 2009.

Copyright(c), 1994-2009 Alcatel-Lucent. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent registered
in the United States Patent and Trademark Office.

-> show configuration snapshot
! Stack Manager :
! Chassis :
system name OS6850-<placering>
system timezone +01:00
! Configuration:
! VLAN :
vlan 1 enable name "VLAN 1"
vlan 20 enable name "VLAN 20"
vlan 20 port default 1/11
vlan 20 port default 1/12
vlan 20 port default 1/13
vlan 20 port default 1/14
vlan 20 port default 1/15
vlan 20 port default 1/16
vlan 20 port default 1/17
vlan 20 port default 1/18
vlan 20 port default 1/19
vlan 20 port default 1/20
vlan 20 port default 1/21
vlan 20 port default 1/22
vlan 20 port default 1/23
vlan 20 port default 1/24
vlan 20 port default 1/37
vlan 20 port default 1/38
vlan 20 port default 1/39
vlan 20 port default 1/40
vlan 20 port default 1/41
vlan 20 port default 1/42
vlan 20 port default 1/43
vlan 20 port default 1/44
vlan 20 port default 1/45
vlan 20 port default 1/46
vlan 20 port default 1/47
vlan 30 enable name "Visitors"
vlan 30 port default 1/25
vlan 30 port default 1/26
vlan 30 port default 1/27
vlan 30 port default 1/28
vlan 30 port default 1/29
vlan 30 port default 1/30
vlan 30 port default 1/31
vlan 30 port default 1/32
vlan 30 port default 1/33
vlan 30 port default 1/34
vlan 30 port default 1/35
vlan 30 port default 1/36
vlan 61 port default 1/9
vlan 61 port default 1/10
vlan 99 enable name "radius"
vlan 99 port default 1/5
vlan 99 port default 1/6
vlan 100 enable name "SERVER"
vlan 100 port default 1/3
vlan 100 port default 1/4
vlan 999 enable name "Management"
vlan 999 port default 1/1
vlan 999 port default 1/2
vlan 999 port default 1/49
vlan port mobile 1/13
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/17
vlan port mobile 1/18
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan port mobile 1/22
vlan port mobile 1/23
vlan port mobile 1/24
vlan port mobile 1/25
vlan port 1/25 802.1x enable
vlan port mobile 1/26
vlan port 1/26 802.1x enable
vlan port mobile 1/27
vlan port 1/27 802.1x enable
vlan port mobile 1/28
vlan port 1/28 802.1x enable
vlan port mobile 1/29
vlan port 1/29 802.1x enable
vlan port mobile 1/30
vlan port 1/30 802.1x enable
vlan port mobile 1/31
vlan port 1/31 802.1x enable
vlan port mobile 1/32
vlan port 1/32 802.1x enable
vlan port mobile 1/33
vlan port 1/33 802.1x enable
vlan port mobile 1/34
vlan port 1/34 802.1x enable
vlan port mobile 1/35
vlan port 1/35 802.1x enable
vlan port mobile 1/36
vlan port 1/36 802.1x enable
vlan port mobile 1/37
vlan port 1/37 802.1x enable
vlan port mobile 1/38
vlan port 1/38 802.1x enable
vlan port mobile 1/39
vlan port 1/39 802.1x enable
vlan port mobile 1/40
vlan port 1/40 802.1x enable
vlan port mobile 1/41
vlan port 1/41 802.1x enable
vlan port mobile 1/42
vlan port 1/42 802.1x enable
vlan port mobile 1/43
vlan port 1/43 802.1x enable
vlan port mobile 1/44
vlan port 1/44 802.1x enable
vlan port mobile 1/45
vlan port 1/45 802.1x enable
vlan port mobile 1/46
vlan port 1/46 802.1x enable
vlan port mobile 1/47
vlan port 1/47 802.1x enable
! VLAN SL:
! IP :
ip service all
ip interface "Management" address 192.168.248.60 mask 255.255.255.0 vlan 999 no
forward ifindex 1
ip interface "radius" address 192.168.249.60 mask 255.255.255.0 vlan 99 no forward ifindex 6
! IPX :
! IPMS :
! AAA :
aaa radius-server "radius" host 10.0.0.150 key a4ac44fb47c67404 retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication default "local"
aaa authentication console "local"
aaa authentication 802.1x radius
aaa radius agent preferred 192.168.249.60
! PARTM :
! AVLAN :
aaa avlan default dhcp 10.10.10.130
! 802.1x :
802.1x 1/25 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/25 captive-portal session-limit 12 retry-count 3
802.1x 1/25 supp-polling retry 2
802.1x 1/25 supplicant policy authentication pass block fail captive-portal
802.1x 1/25 non-supplicant policy captive-portal
802.1x 1/25 captive-portal policy authentication pass block fail block
802.1x 1/26 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/26 captive-portal session-limit 12 retry-count 3
802.1x 1/26 supp-polling retry 2
802.1x 1/26 supplicant policy authentication pass block fail captive-portal
802.1x 1/26 non-supplicant policy captive-portal
802.1x 1/26 captive-portal policy authentication pass block fail block
802.1x 1/27 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/27 captive-portal session-limit 12 retry-count 3
802.1x 1/27 supp-polling retry 2
802.1x 1/27 supplicant policy authentication pass block fail captive-portal
802.1x 1/27 non-supplicant policy captive-portal
802.1x 1/27 captive-portal policy authentication pass default-vlan fail block
802.1x 1/28 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/28 captive-portal session-limit 12 retry-count 3
802.1x 1/28 supp-polling retry 2
802.1x 1/28 supplicant policy authentication pass block fail captive-portal
802.1x 1/28 non-supplicant policy captive-portal
802.1x 1/28 captive-portal policy authentication pass default-vlan fail block
802.1x 1/29 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/29 captive-portal session-limit 12 retry-count 3
802.1x 1/29 supp-polling retry 2
802.1x 1/29 supplicant policy authentication pass block fail captive-portal
802.1x 1/29 non-supplicant policy block
802.1x 1/29 captive-portal policy authentication pass default-vlan fail block
802.1x 1/30 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/30 captive-portal session-limit 12 retry-count 3
802.1x 1/30 supp-polling retry 2
802.1x 1/30 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/30 non-supplicant policy block
802.1x 1/30 captive-portal policy authentication pass default-vlan fail block
802.1x 1/31 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/31 captive-portal session-limit 12 retry-count 3
802.1x 1/31 supp-polling retry 2
802.1x 1/31 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/31 non-supplicant policy block
802.1x 1/31 captive-portal policy authentication pass default-vlan fail block
802.1x 1/32 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/32 captive-portal session-limit 12 retry-count 3
802.1x 1/32 supp-polling retry 2
802.1x 1/32 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/32 non-supplicant policy block
802.1x 1/32 captive-portal policy authentication pass default-vlan fail block
802.1x 1/33 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/33 captive-portal session-limit 12 retry-count 3
802.1x 1/33 supp-polling retry 2
802.1x 1/33 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/33 non-supplicant policy block
802.1x 1/33 captive-portal policy authentication pass default-vlan fail block
802.1x 1/34 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/34 captive-portal session-limit 12 retry-count 3
802.1x 1/34 supp-polling retry 2
802.1x 1/34 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/34 non-supplicant policy block
802.1x 1/34 captive-portal policy authentication pass default-vlan fail block
802.1x 1/35 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/35 captive-portal session-limit 12 retry-count 3
802.1x 1/35 supp-polling retry 2
802.1x 1/35 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/35 non-supplicant policy block
802.1x 1/35 captive-portal policy authentication pass default-vlan fail block
802.1x 1/36 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/36 captive-portal session-limit 12 retry-count 3
802.1x 1/36 supp-polling retry 2
802.1x 1/36 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/36 non-supplicant policy block
802.1x 1/36 captive-portal policy authentication pass default-vlan fail block
802.1x 1/37 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/37 captive-portal session-limit 12 retry-count 3
802.1x 1/37 supp-polling retry 2
802.1x 1/37 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/37 non-supplicant policy captive-portal
802.1x 1/37 captive-portal policy authentication pass default-vlan fail block802.1x 1/38 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/38 captive-portal session-limit 12 retry-count 3
802.1x 1/38 supp-polling retry 2
802.1x 1/38 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/38 non-supplicant policy block
802.1x 1/38 captive-portal policy authentication pass default-vlan fail block
802.1x 1/39 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/39 captive-portal session-limit 12 retry-count 3
802.1x 1/39 supp-polling retry 2
802.1x 1/39 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/39 non-supplicant policy block
802.1x 1/39 captive-portal policy authentication pass default-vlan fail block
802.1x 1/40 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/40 captive-portal session-limit 12 retry-count 3
802.1x 1/40 supp-polling retry 2
802.1x 1/40 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/40 non-supplicant policy block
802.1x 1/40 captive-portal policy authentication pass default-vlan fail block
802.1x 1/41 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/41 captive-portal session-limit 12 retry-count 3
802.1x 1/41 supp-polling retry 2
802.1x 1/41 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/41 non-supplicant policy block
802.1x 1/41 captive-portal policy authentication pass default-vlan fail block
802.1x 1/42 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/42 captive-portal session-limit 12 retry-count 3
802.1x 1/42 supp-polling retry 2
802.1x 1/42 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/42 non-supplicant policy block
802.1x 1/42 captive-portal policy authentication pass default-vlan fail block
802.1x 1/43 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/43 captive-portal session-limit 12 retry-count 3
802.1x 1/43 supp-polling retry 2
802.1x 1/43 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/43 non-supplicant policy block
802.1x 1/43 captive-portal policy authentication pass default-vlan fail block
802.1x 1/44 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/44 captive-portal session-limit 12 retry-count 3
802.1x 1/44 supp-polling retry 2
802.1x 1/44 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/44 non-supplicant policy block
802.1x 1/44 captive-portal policy authentication pass default-vlan fail block
802.1x 1/45 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/45 captive-portal session-limit 12 retry-count 3
802.1x 1/45 supp-polling retry 2
802.1x 1/45 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/45 non-supplicant policy block
802.1x 1/45 captive-portal policy authentication pass default-vlan fail block
802.1x 1/46 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/46 captive-portal session-limit 12 retry-count 3
802.1x 1/46 supp-polling retry 2
802.1x 1/46 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/46 non-supplicant policy block
802.1x 1/46 captive-portal policy authentication pass default-vlan fail block
802.1x 1/47 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/47 captive-portal session-limit 12 retry-count 3
802.1x 1/47 supp-polling retry 2
802.1x 1/47 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/47 non-supplicant policy block
802.1x 1/47 captive-portal policy authentication pass default-vlan fail block
! QOS :
! Policy manager :
! Session manager :
session timeout cli 120
session timeout ftp 30
session timeout http 120
! SNMP :
snmp security no security
snmp community map mode off
snmp community map "SMART-labRO" user "SMART-labRO" on
snmp community map "SMART-labRW" user "SMART-labRW" on
snmp station 192.168.248.1 162  v1 enable
! RIP :
! OSPF :
! BFD-STD :
! ISIS :
! IPv6 :
! IPSec :
! IP multicast :
ip static-route 10.0.0.0/24 gateway 192.168.249.254 metric 1
! RIPng :
! OSPF3 :
! BGP :
! Health monitor :
! Interface :
interfaces 1/1 alias "Trunk_OS9700"
! Udld :
! Netsec :
! Port Mapping :
! Link Aggregate :
! VLAN AGG:
! 802.1Q :
vlan 20 802.1q 1/48 "TAG PORT 1/48 VLAN 20"
vlan 30 802.1q 1/48 "TAG PORT 1/48 VLAN 30"
vlan 61 802.1q 1/48 "TAG PORT 1/48 VLAN 61"
vlan 99 802.1q 1/48 "TAG PORT 1/48 VLAN 99"
vlan 100 802.1q 1/48 "TAG PORT 1/48 VLAN 100"
! Spanning tree :
bridge mode 1x1
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
ip helper avlan only
! Server load balance :
! System service :
swlog console level info
! SSH :
! VRRP :
! Web :
! AMAP :
! LLDP :
! Lan  Power :
! NTP :
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
! EFM-OAM :
! E

benny · Post by **benny** » 12 Sep 2012 05:22

You only configured the captive-portal for ports 1/25-29, please confirm whether you are connected to one of those ports for the test.

You configured a couple of "avlan" commands that are not necessary - do you use that feature? You're running a very old AOS release, before doing a long and detailed analysis I'd like to suggest to try an upgrade to AOS 6.4.4.R01 (latest Maintenance Release) and verify the behaviour there.

Benny

jonha134 · Post by **jonha134** » 12 Sep 2012 06:36

Thank you for your answer!

Yes, we are using those specific ports for testing.

We are awaiting newer firmware from our supplier.

I will try to remove any avlan settings.

I understand from your answer that you are not familiar with any known bugs related to this issue? Are there any other settings that might affect this behavior?

Best regards,
Jonas

benny · Post by **benny** » 12 Sep 2012 06:56

Hi Jonas,

There is a good chance that the issues you see are already resolved. I don't like the "old implementation" as in AOS 6.4.2.R01 as it uses a Java-Applet to renew the IP-ADDRESS after successful authentication, which will not work with many new browsers or MacOSX.

I'd strongly recommend to look forward for AOS 6.4.4.R01.

Benny

jonha134 · Post by **jonha134** » 01 Oct 2012 04:09

You were correct. upgrading to AOS 6.4.4.R01 solved the issue. Now it works like a charm.

Thank you.

Jonas

Alcatel Unleashed

Captive Portal will not work after supplicant fail

Captive Portal will not work after supplicant fail

Re: Captive Portal will not work after supplicant fail

Re: Captive Portal will not work after supplicant fail

Re: Captive Portal will not work after supplicant fail

Re: Captive Portal will not work after supplicant fail