The controller needs to have the user in an unauthenticated state in order for External Captive Portal to work. For all Unregistered Roles, Login-Lat-Port should be a 0 in the RADIUS accept packet. The controllers client reports will show this as a gray lock that is unlocked. If the lock is locked and green next to the suspect user with an unauthenticated role, it means NAC returned back the Login-Lat-Port=1 at which time External Captive Portal will fail.
- Go to the NAC Rules Engine
- Select Accept Policy:Unregistered, the Edit Policy Mapping will pop up
- Change Login-LAT-Port to a 0
- Save and enforce the change