Troubleshooting

Event Timestamp not working

Symptom

The client gets a credentials request on the web browser even though the valid credentials were already provided, or the client is not redirected to the Captive Portal.

Cause
  • ClearPass 6.5.x does not support the sending of Event Timestamp in automated workflows (manual via Access Tracker works).

  • The switch will reject CoA requests when the time on CPPM is ahead of the switch time by even a second.

Action

Set the time-window security feature in PVOS to 0:

radius-server host<CLEARPASS-IP> time-window 0

Cannot enable Captive Portal

Symptom

When running the aaa authentication captive-portal enable command, getting the following error message:

Captive portal cannot be enabled when BYOD redirect, MAC authentication failure 
redirect, or web-based authentication are enabled.
Cause

The failure is due to a mutual exclusion restriction.

Action
  1. Check which one of the following are enabled: BYOD redirect, MAC authentication failure redirect, or web-based authentication.

  2. Disabled the enabled authentication method found in step 1.

  3. Run the aaa authentication captive-portal enable command.

Unable to enable feature

Symptom

One of the following messages is displayed:

  • BYOD redirect cannot be enabled when captive portal is enabled.
    
  • MAC authentication failure redirect cannot be enabled when captive 
    portal is enabled.
    
  • Web-based authentication cannot be enabled when captive portal 
    is enabled.
    
  • V1 compatibility mode cannot be enabled when captive portal 
    is enabled.
    
Cause

You cannot enable these features when Captive Portal is already enabled. They are mutually exclusive.

Action

You can either disable Captive Portal or avoid enabling these features.

Authenticated user redirected to login page

Symptom

User is redirected back to the login page to submit credentials even after getting fully authenticated.

Solution 1

Cause

The status is not changed to Known. 

Action

After the client submits the credentials, the CPPM service must change the Endpoint Status to Known.

Solution 2

Cause

The cache value is set.

Action

Clear the CPPM Cache Timeout of the Endpoint Repository.

Unable to configure a URL hash key

Symptom

The following message is displayed:

Key exceeds the maximum length of 64 characters.
Cause

The URL hash key is not valid.

Action

Select a key that is 64 or less ASCII text. For example:

switch(config)# 

aaa authentication captive-portal url-hash-key plaintext “8011A89FEAE0234BCCA”

authentication command

Use the following authentication commands to configure ClearPass Captive Portal.

Command Description

aaa authentication captive-portal enable

Enables redirection to a Captive Portal server for additional client authentication.

aaa authentication captive-portal disable

or

no aaa authentication captive-portal enable

Disables redirection to a Captive Portal server for additional client authentication.

aaa authentication captive-portal url-hash-key

Configures a hash key used to verify the integrity of the portal URL.

show command

Use the following show commands to view the various configurations and certificates.

Command Description

show running-config

Shows the running configuration.

show config

Shows the saved configuration.

show ip

Shows the switch IP addresses.

show captive-portal

Captive portal configuration.

show port-access clients [port] [detailed]

Consolidated client view; the detailed option shows the Access Policy that is applied. The IP address is only displayed if dhcp-snooping is enabled.

For the summary view (without the detailed option), only the untagged VLAN is displayed.

show radius authentication

Displays NAS identifier and data on the configured RADIUS server and switch interactions with this server.

show radius dyn-authorization

Statistics for Radius CoA and Disconnect.

show radius accounting

Statistics for Radius accounting.

show crypto pki local-certificate [summary]

Installed certificates.

Debug command

Use the debug command to help you debug your issues.

Command Description

debug security captive-portal

Enables debug logging for the Captive Portal sub-system.

debug security port-access mac-based

Enables debug logging for the MAC-auth sub-system.

debug security port-access authenticator

Enables debug logging for the 802.1X authenticator sub-system.

debug security radius-server

Enables debug logging for the Radius sub-system.

debug destination session

Prints debug messages to terminal.

debug destination logging

Sends debug messages to the syslog server.

debug destination buffer

Prints debug messages to a buffer in memory.