Access Guardian and captive portal on the 6850 switches

[cedric1]

hello

In version 6.3.4.443.R01
When supplicant send bad cred. -> you never go to fail and never get CPortal
The same if Radius is not avilable

In version 6.3.4.433R01
The same test is succesful : bad cred => go to CPortal (dhcp ok etc)
If Radius is not pingable (so no radius exchange between swich and radius) , I nerver go in Cportal process.

Something is bad an I will open a case for this.

Regards

Cedric

[cedric1]

hello

In my last test -> if i use 802.1X supplicant, enter bad cred, I get always a pop up from windows
to re-enter cred.

So I'm not able to get a Fail.

In version 433, I don't get this pop up if bad cred have been enter.

I directly get a fail and go to CP.

Did you have the same ?

[Rens_DUP]

Hello,

Currently I'm using the windows logon client which logs me into the network the same time as the windows logon. So when I enter wrong credentials windows already deny's me access.

I'm currently not in the position to test this in the lab.

Regards,

Rens

[cedric1]

Ok

I will open a case because there is some strange issue in the last code.

I will keep you update

Cedric

[Rens_DUP]

Hello Cedric1,

As an add on to the last post.

I've used an account which has Remote Access Permission set to Deny Access. Thisway I'm able to log into the computer and the switch deny's me access.

When I use this account I get the Captive portal as configured. Now I can gain access to the network by logging in with an second accound which has Remote Access Permission set to Allow Access.

I hope this helps,

Regards,

Rens

[MWLosRios]

I like the new captive portal feature, but there two cosmetic issues that need to be fixed before I would deploy it widely in my network:

-There has to be a way to customize the captive portal URL, so a certificate can be generated to match the URL. Otherwise, there will be certificate errors, and some browsers and OSes make it very difficult for the average user to get past a cert error.
-The Java applet to release and renew the IP does not work on some browsers/OSes. It also requires administrative access. I see that the lease time is very low; even lower would be better.

[benny]

According to my information there is going to be some improvement on that soon (Java applet)...

-benny

[MWLosRios]

There is an (undocumented) method to turn off the Java applet. The lease time is very low, and with the Java applet turned off, the user must simply wait a minute or so for their lease to expire to gain an IP on the authenticated network.