Troubleshooting

Event Timestamp not working

Symptom

The client gets a credentials request on the web browser even though the valid credentials were already provided, or the client is not redirected to the Captive Portal.

Cause

ClearPass 6.5.x does not support the sending of Event Timestamp in automated workflows (manual via Access Tracker works).
The switch will reject CoA requests when the time on CPPM is ahead of the switch time by even a second.

Action

Set the time-window security feature in PVOS to 0:

radius-server host<CLEARPASS-IP> time-window 0

Cannot enable Captive Portal

Symptom

When running the aaa authentication captive-portal enable command, getting the following error message:

Captive portal cannot be enabled when BYOD redirect, MAC authentication failure 
redirect, or web-based authentication are enabled.

Cause

The failure is due to a mutual exclusion restriction.

Action

Check which one of the following are enabled: BYOD redirect, MAC authentication failure redirect, or web-based authentication.
Disabled the enabled authentication method found in step 1.
Run the aaa authentication captive-portal enable command.

Unable to enable feature

Symptom

One of the following messages is displayed:

BYOD redirect cannot be enabled when captive portal is enabled.

MAC authentication failure redirect cannot be enabled when captive 
portal is enabled.

Web-based authentication cannot be enabled when captive portal 
is enabled.

V1 compatibility mode cannot be enabled when captive portal 
is enabled.

Cause

You cannot enable these features when Captive Portal is already enabled. They are mutually exclusive.

Action

You can either disable Captive Portal or avoid enabling these features.

Authenticated user redirected to login page

Symptom

User is redirected back to the login page to submit credentials even after getting fully authenticated.

Solution 1

Cause

The status is not changed to Known.

Action

After the client submits the credentials, the CPPM service must change the Endpoint Status to Known.

Solution 2

Cause

The cache value is set.

Action

Clear the CPPM Cache Timeout of the Endpoint Repository.

Unable to configure a URL hash key

Symptom

The following message is displayed:

Key exceeds the maximum length of 64 characters.

Cause

The URL hash key is not valid.

Action

Select a key that is 64 or less ASCII text. For example:

switch(config)# aaa authentication captive-portal url-hash-key plaintext “8011A89FEAE0234BCCA”

authentication command

Use the following authentication commands to configure ClearPass Captive Portal.

Command Description

Command	Description
`aaa authentication captive-portal enable`	Enables redirection to a Captive Portal server for additional client authentication.
`aaa authentication captive-portal disable` or `no aaa authentication captive-portal enable`	Disables redirection to a Captive Portal server for additional client authentication.
`aaa authentication captive-portal url-hash-key`	Configures a hash key used to verify the integrity of the portal URL.

aaa authentication captive-portal enable

Enables redirection to a Captive Portal server for additional client authentication.

aaa authentication captive-portal disable

no aaa authentication captive-portal enable

Disables redirection to a Captive Portal server for additional client authentication.

aaa authentication captive-portal url-hash-key

Configures a hash key used to verify the integrity of the portal URL.

show command

Use the following show commands to view the various configurations and certificates.

Command	Description
`show running-config`	Shows the running configuration.
`show config`	Shows the saved configuration.
`show ip`	Shows the switch IP addresses.
`show captive-portal`	Captive portal configuration.
`show port-access clients [port] [detailed]`	Consolidated client view; the `detailed` option shows the Access Policy that is applied. The IP address is only displayed if `dhcp-snooping` is enabled. For the summary view (without the detailed option), only the untagged VLAN is displayed.
`show radius authentication`	Displays NAS identifier and data on the configured RADIUS server and switch interactions with this server.
`show radius dyn-authorization`	Statistics for Radius CoA and Disconnect.
`show radius accounting`	Statistics for Radius accounting.
`show crypto pki local-certificate [summary]`	Installed certificates.

Debug command

Use the debug command to help you debug your issues.

Command	Description
`debug security captive-portal`	Enables debug logging for the Captive Portal sub-system.
`debug security port-access mac-based`	Enables debug logging for the MAC-auth sub-system.
`debug security port-access authenticator`	Enables debug logging for the 802.1X authenticator sub-system.
`debug security radius-server`	Enables debug logging for the Radius sub-system.
`debug destination session`	Prints debug messages to terminal.
`debug destination logging`	Sends debug messages to the syslog server.
`debug destination buffer`	Prints debug messages to a buffer in memory.

prev	up	next
Show certificate information	home	ZTP with AirWave Network Management

Troubleshooting

Event Timestamp not working

​Symptom

​Cause

​Action

Cannot enable Captive Portal

​Symptom

​Cause

​Action

Unable to enable feature

​Symptom

​Cause

​Action

Authenticated user redirected to login page

​Symptom

Solution 1

​Cause

​Action

Solution 2

​Cause

​Action

Unable to configure a URL hash key

​Symptom

​Cause

​Action

authentication command

show command

Debug command

Symptom

Cause

Action

Symptom

Cause

Action

Symptom

Cause

Action

Symptom

Cause

Action

Cause

Action

Symptom

Cause

Action