Any issues with v20MR1 and APX SC-controlled hotspot?

Never set up a hotspot in the past, so not sure if I'm doing something wrong or if it's simply not working...

APX320 + XGS87 + SFOS 20.0-MR1 managed from Sophos Central. I go to my Guest SSID (not bridged, goes to VLAN) and turn on Hotspot. Client on the Guest network cannot reach the internet (web pages), and is NOT redirected to a hotspot landing page. However, I can see that DNS queries do get through to the Internet (Sophos DNS).

I have interactions/redirects set to the IP of the first port, in the Admin page. I have tried creating a rule to allow Guest-LAN traffic and it doesn't seem to help. I have Captive Portal on for both the Guest network/zone and the LAN network/zone

Turn off Hotspot and everything's back to normal.

Is there something else I'm missing? Should this be handled entirely within the APX, or does it depend on anything happening on the XGS? (Again, the AP is run from Sophos Central and no wireless control/options on the XGS side of things.

Edited TAGs
[edited by: Erick Jan at 9:23 AM (GMT -7) on 4 Jul 2024]
  • This is an item for the Known Issue list and will be included shortly. 

    Try to use the Captive Portal on the Firewall instead. The Access Point cannot reach the website in this scenario, as it is isolated in this state. 


  • Arghhh, should've asked a couple of days ago. Thought I was insane.

    I tried your suggestion -- as I understand it -- and it doesn't seem to work either. (Though, again, my setup might be messed up.) I created a Guest User and restricted their login to the Guest network VLAN's IP address range. I turned on Captive Portal and User Portal on the Guest Zone (which contains the Guest network VLAN). I went to the Guest-WAN firewall rule and required known users and allowed portal login.

    Nothing. If I turn the known users off in the firewall rule, I get Internet access -- though of course no login required. If I turn it off, I get no internet access and the browser is stuck trying to reach the portal (I'm guessing). (I don't have a Guest-Guest or Guest-LAN firewall rule, and in Administration, user interaction goes to the IP of the first port, which is not in Guest.

    When I get a chance, I'll try a Guest-Guest firewall rule to see if that's necessary to reach the Guest portals. I'm not really clear on the distinction between Captive Portal (8090?) and the User Portal (443?) in this use case.

    UPDATE: Tried a Guest-Guest firewall rule, doesn't seem to help. But then again, the Device Access is supposed to handle those kinds of things, so I shouldn't have expected it to work.