Onboarding is not supported when a captive portal is active because the pop-up that you see to sign in to the captive portal is running in a protected/isolated browser.
The workaround for that is to make the client close the popup browser, from there start the onboarding in a full browser. A login with 'redirect URL' may work to get the standard browser opened with the onboarding URL. Or configure CNA Bypass (and the other OS-ses variants) to prevent an automatic captive portal pop up and point users in another way to the onboarding page.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jun 15, 2023 02:28 AM
From: JeffreyMik
Subject: Problems with OnBoarding clients using dual SSID
Hello everyone,
We started implementing OnBoarding BYODs to our corp network. We configured an OnBoarding service and attached it to our corp network. We also put the webpage, that is generated to start the Onboard process, to the guest login page and there is where the problem takes place. When a guest connects to the guest SSID, the device gets a pre-logon role. This role doesn't give internet access to the client.
When the client is an employee and wants to start the OnBoarding process, he or she can click on the link referring to the OnBoarding page. This works completely fine. When the clients put in their AD credentials to authenticate for the OnBoarding process, the clients get access to download the app.
After getting to the download page, to download the 'Quickconnect' app, the app can be installed. But here something strange happens. When an android device tries to Onboard and clicks on the download button, the original web browser used for starting up the captive portal gets closed. Then the devices says that it is fully connected to the network and starts up another web browser where the captive portal pops up again. Here, the user needs to log in again using his/her AD credentials. After this is done, the 'quickconnect' app can be installed, but when going to the play store to download the app, no internet access is given to the client and thus the app nor the network profile (certificate) can be installed.
I have looked in the access tracker to see if the post auth role gets applied when the clients switches between web browser and gains full access to the network. I don't see the role getting applied to the client. This is where the problem occurs, and I don't know how to fix it…
Does someone know a possible solution?
Kind regards,
Jeffrey Mik