troubleshooting when Captive Portal password is not accepted

How can I troubleshoot a captive portal issue for an SSID in Sophos Central where the portal password is not accepted? The portal is showing wrong password.

Have generated a new portal password but the issue persists.

I did a tcp dump on the XG (RED) interface and could see this during the client authentication:

15:56:18.943898 reds1, IN:   B xxx:xxx:xx:44:2d ethertype 802.1Q (0x8100), length 62: vlan 1111, p 0, ethertype Unknown, LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x81f5: Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 42
15:56:18.943898 reds1.1111, IN:   B xxx:xxx:xx:44:2d 802.2, length 58: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x81f5: Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 42
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: associated
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: associated
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: associated
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: associated
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: HS Roaming: Sending AP_STA_ASSOCIATED UBUS message to Cloudclient
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: HS Roaming: Sending AP_STA_ASSOCIATED UBUS message to Cloudclient
Msg: Jul 28 13:56:18 webcat[1120]: core/pcf_ubus.c:252/pcf_handle_client_assoc_deassoc_event: Rxed event AP-STA-ASSOCIATED  xxx:xxx:xx:44:2d ath101
Msg: Jul 28 13:56:18 webcat[1120]: core/pcf_ubus.c:252/pcf_handle_client_assoc_deassoc_event: Rxed event AP-STA-ASSOCIATED  xxx:xxx:xx:44:2d ath101
Msg: Jul 28 13:56:18 cloudclient[1673]: ubus.c:498/handle_hostapd_event: HS Roaming  AP-STA-ASSOCIATED json recvd for mac xxx:xxx:xx:44:2d on wlan ath101
Msg: Jul 28 13:56:18 cloudclient[1673]: ubus.c:498/handle_hostapd_event: HS Roaming  AP-STA-ASSOCIATED json recvd for mac xxx:xxx:xx:44:2d on wlan ath101
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: HS Roaming: Sending AP_STA_ASSOCIATED UBUS message to Cloudclient
Msg: Jul 28 13:56:18 hostapd: ath101: STA xxx:xxx:xx:44:2d IEEE 802.11: HS Roaming: Sending AP_STA_ASSOCIATED UBUS message to Cloudclient
Msg: Jul 28 13:56:18 webcat[1120]: core/pcf_ubus.c:252/pcf_handle_client_assoc_deassoc_event: Rxed event AP-STA-ASSOCIATED  xxx:xxx:xx:44:2d ath101
Msg: Jul 28 13:56:18 webcat[1120]: core/pcf_ubus.c:252/pcf_handle_client_assoc_deassoc_event: Rxed event AP-STA-ASSOCIATED  xxx:xxx:xx:44:2d ath101
Msg: Jul 28 13:56:18 cloudclient[1673]: ubus.c:498/handle_hostapd_event: HS Roaming  AP-STA-ASSOCIATED json recvd for mac xxx:xxx:xx:44:2d on wlan ath101
Msg: Jul 28 13:56:18 cloudclient[1673]: ubus.c:498/handle_hostapd_event: HS Roaming  AP-STA-ASSOCIATED json recvd for mac xxx:xxx:xx:44:2d on wlan ath101
Msg: Jul 28 13:56:18 cloudclient[1673]: roaming_hs.c:65/check_clientinfo_from_roaming_db: Can't find an entry for Client with mac xxx:xxx:xx:44:2d
Msg: Jul 28 13:56:18 cloudclient[1673]: roaming_hs.c:65/check_clientinfo_from_roaming_db: Can't find an entry for Client with mac xxx:xxx:xx:44:2d
Msg: Jul 28 13:56:18 cloudclient[1673]: roaming_hs.c:65/check_clientinfo_from_roaming_db: Can't find an entry for Client with mac xxx:xxx:xx:44:2d
Msg: Jul 28 13:56:18 cloudclient[1673]: roaming_hs.c:65/check_clientinfo_from_roaming_db: Can't find an entry for Client with mac xxx:xxx:xx:44:2d
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:19 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:20 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:20 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:20 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:20 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:21 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:21 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:21 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:21 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 13:56:22 kernel: [10014.700100]  wlan_mlme_disassoc_request_with_callback 473  xxx:xxx:xx:44:2d reason 2 
Msg: Jul 28 13:56:22 kernel: [10014.700100]  wlan_mlme_disassoc_request_with_callback 473  xxx:xxx:xx:44:2d reason 2 
Msg: Jul 28 13:56:22 kernel: [10014.700100]  wlan_mlme_disassoc_request_with_callback 473  xxx:xxx:xx:44:2d reason 2 
Msg: Jul 28 13:56:22 kernel: [10014.700100]  wlan_mlme_disassoc_request_with_callback 473  xxx:xxx:xx:44:2d reason 2 
16:03:36.049979 reds1, IN:   B xxx:xxx:xx:44:2d ethertype 802.1Q (0x8100), length 62: vlan 1111, p 0, ethertype Unknown, LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x81f5: Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 42
16:03:36.049979 reds1.1111, IN:   B xxx:xxx:xx:44:2d 802.2, length 58: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x81f5: Supervisory, Receiver not Ready, rcv seq 64, Flags [Poll], length 42
Msg: Jul 28 14:03:37 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 14:03:37 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 14:03:37 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 
Msg: Jul 28 14:03:37 hostapd: ath101: STA xxx:xxx:xx:44:2d WPA: AP-STA-POSSIBLE-PSK-MISMATCH 

Also I can see thios message from the AP handling the client to the syslog server:

192.xxx.xxx.xxx.44556 > 172.xxx.xxx.xxx.514: SYSLOG, length: 108
Facility kernel (0), Severity warning (4)
Msg: Jul 28 13:56:18 kernel: [10010.654160] rfs_wxt_get_cpu_by_irq[131]:INFO:IRQ is bound to more than one CPU

  • This didn't work until the existing WiFi has been "unlearned" or "forgotten" at the end-device.

    Afterwards, there were also issues, as there was a wrong timezone set up at the end-device. After the timezon was set correctly, some certificate errors and other issues with the captive portal were gone.