Reset Search
 

 

Article

NAC Captive Portal: Redirection doesn´t work with empty Client Browser Cache

« Go Back

Information

 
TitleNAC Captive Portal: Redirection doesn´t work with empty Client Browser Cache
Symptoms
  • Captive Portal pages are not displayed following a successful authentication
  • happens only if the client's browser cache doesn't have Captive Portal objects stored from a previous authentication,mostly new wireless clients, phones, tablets
Environment
  • NAC VM,Captive Portal enabled on NAC
  • EWC v2110, Wireless Authentication set to External Captive Portal (NAC)
  • VMware ESXi 5.x
Cause
If the following conditions are met:
  1. NAC Captive-Portal (CP) and v2110 interfaces connect to the same vSwitch on the same host and
  2. v2110 VNS topology is B@C (bridged at controller) and
  3. NAC CP and v2110 B@C interfaces share same VLAN and
  4. HTTP (Java) TCP packets payload sent from NAC exceed TCP MSS (typically 1460 B), then
TCP segmentation may fail to occur and large TCP segments (more than 8 KB) will be sent back to EWC thus failing to reach the wireless client, client will not be able to ACK TCP segments forcing NAC to retransmit
The browser will not display the subsequent pages due to the above condition as the JAVA scripts had timed out already
EWC will eventually send ICMP "fragmentation needed" messages back to NAC and NAC will retransmit with an adjusted TCP segment size so the client doesn't fail authentication so the issue is only with what the client's browser's displays and lack of redirection after authentication
Resolution

use a routed topology on EWC or set NAC's interface on a different port-group and different VLAN thus routing traffic via the physical NIC of the host (assuming the physical NIC does perform TSO), 

or

attach NAC VM to a different vSwitch (recommended) as EWC needs its production interfaces in promiscuous mode so traffic between EWC and NAC (or any other External Portal) is routed via the physical network infrastructure - this also implies the physical NICs of the VMware host are TSO capable and that capability is active
Additional notes
Explanation:
- with a default MTU of 1500 (typical on VMware ESXi vSwitch) the typical TCP MSS is 1460
- an application could send a TCP segment larger than the MSS value, NAC does send 8 KB, that is perfectly fine
- then either the OS of the guest VM or the NIC must perform what is called TCP segmentation so each transmitted segment is no larger than MSS.
- It is preferable for the NIC to perform TCP segmentation, a capability called TCP Segmentation Offloading (TSO) 
- a VM's NIC drivers are supplied by VMware, be that E1000 or VXNET3 - both have TSO capability turned on
- any guest VM (in this case NAC) on seeing its virtual NIC (vNIC) driver reporting TSO capability will send TCP segments unchanged so the vNIC must fragment them into MSS size fragments
- it has been noticed the vNIC failed to fragment the large TCP segments so EWC received an 8 KB TCP segment
- for troubleshooting purposes only, to confirm TSO (the lack of) is the root cause here: one could turn TSO off on the guest VM OS and test if that solves the issue

On NAC (Linux) turning TSO on/off can be done by using ethtool

root@nac:~$  ethtool -k eth1
Offload parameters for eth1:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: on
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off
 
root@nac:~$ ethtool -K eth1 tso off
root@nac:~$ ethtool -k eth1
Offload parameters for eth1:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: on
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off


Caution: the above test should be performed only for troubleshooting purposes, revert NAC's ethX to the default TSO value if NAC is in production as the impact of doing TCP fragmentation by the CPU could be significant

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255