ArubaOS and Controllers

Reply
New Contributor
Posts: 1
Registered: ‎10-21-2009

Ipad and Captive Portal Problem

We have a guest SSID that the students use here on campus. On this SSID it is using Captive Portal. Computers have no problem accessing but Ipad's do. Here is the scenario. On the Ipad, you connect to the wifi get an IP address fine and the captive portal page opens fine. The student then puts an email address (the only thing required and does not have to be a real one) and clicks I agree. If you look in the user table on the controller, you can see that the Ipad is authenticated and in the guest role. The only thing is when you open up safari on the ipad you are unable to browse the internet. Also in the upper left hand corner you do not see the wifi symbol next to where it says Ipad. You are able to ping the address that the Ipad has from a computer. The only way to get it to work is to turn wifi off and back on again and as soon as you do this, you see the wifi symbol in the upper left. Has anybody else seen this or know of a fix?
Aruba Employee
Posts: 135
Registered: ‎06-18-2007

Re: Ipad and Captive Portal Problem

I have seen similar issues with IE9 and some Apple devices. Support identified this as being a bug. This is specifically using the registration option or prompting the user with an agreement only.

May want to look at upgrading your firmware. The fix that I experienced at a customer site was included in 6.1.2.2.

-Mike
Occasional Contributor II
Posts: 16
Registered: ‎12-14-2010

Re: Ipad and Captive Portal Problem

I am still having no luck with the iPad2. TAC had me upgrade to 6.1.2.2 (was on 6.1.2.0) - but I still am seeing the exact same problems. You connect to our Guest network and the CP pops up. More than half of the time when you click "Accept" the portal page doesn't close - it goes to an Apple webpage and the only Safari option available is to "Close". The wireless icon on the iPad2 then disappears. The only workaround is to toggle the wireless adapter on and then off in Settings/Network.

I turned on user-debug and every log entry looks the same when it works and when it doesn't.
Occasional Contributor I
Posts: 8
Registered: ‎04-20-2009

Re: Ipad and Captive Portal Problem

We've been facing the same problem with ipad2 and captive portal. Customers refused to use psk or dot1x.And current OS is ver5 for controller 620. Should i upgrade ver 6?

Any advice for ipad with Captive Portal.

Thanks.
Occasional Contributor II
Posts: 17
Registered: ‎09-26-2008

iOS, Captive Portal and Auto Login?

I've got some of my information 2nd and 3rd-hand, but I believe this
might be related to the auto login feature on the iOS devices. Something
about the user failing to cache "login" information during that initial
login screen, then the device disconnecting from the SSID instead of
staying connected to allow the user to re-attempt login via Safari
(or any other iOS browser).

This login "mode" apparently can be disabled using DNS trickery (polluting
your /etc/hosts file, hijacking apple.com in your DNS server's info, etc. -
there's some notes at http://www.cloudpath.net/workaround_iphone.php)
but as the CP is already doing it's own redirection once the user has attempted TCP
connections ... I think this should be do-able completely within the CP framework (maybe).

If the iOS device is trying to get a "success" result when it goes to
http://www.apple.com/library/test/success.html ... it's simple
enough to add a "success.html" file to the CP files and return that. I'm not
sure how to do the filesystem trickery with the CP files, though. If I had
control/access of this directory normally, I'd either create those directories
or create loopback symlinks so that both ./library and ./test pointed to the
local directory.

Is it possible to construct a custom redirection rule within a CP configuration?
Or will the CP pop off all references to directories and simply return the
"success.html" file as though it were placed within "/library/test/" ??

This *might* correct this disconnect behavior that seems to be showing up
in the iOS platform.
Occasional Contributor II
Posts: 17
Registered: ‎09-26-2008

Maybe?

Ok, so I guess you're not really supposed to reply to yourself, but the
tricks that I would normally do within the filesystem could *possibly*
be done using a CGI written as the login page?

I'm not really sure what happens when you try to access a page that
doesn't exist in a directory that also doesn't exist, but the login page
would be where you're redirected in almost all pre-login cases. A bit
of CGI scripting there could check the requested URL and return the
contents of the success.html file when it's warranted.

Unfortunately, I've never had a need to write a CGI within the captive
portal framework and I'm not even sure if this method is possible either.

Help?
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Ipad and Captive Portal Problem

Thanks for the information abrennan.

If you are currently using ArubaOS 6.1 and above, you can try the following:


config t
netdestination www.apple.com <----In ArubaOS 6.1 you can create an alias that points to a www
name www.apple.com
!
ip access-list session apple-cp <---- We can then create an ACL to permit all traffic to www.apple.com
user alias www.apple.com svc-http permit
!
ip name-server 8.8.8.8 <------- Configure a DNS server or two that the controller will use to resolve www addresses
ip name-server 4.2.2.2
ip domain lookup <------- Turn on DNS resolution
ip domain-name arubanetworks.com <------------ Set a domain for your controller (this can be anything, frankly)
user-role guest-logon <----------- Add the newly created access list to your captive portal initial role in position 1.
ip access-list session apple-cp position 1 <-----This will allow all http traffic to www.apple.com so that frame will not come up.


There is a "show firewall dns-names" command that will show what dns names resolve to that will be added in ArubaOS 6.2:

(host) # show firewall dns-names 

FW DNS names
------------
Name Id InUse List
---- -- ----- ----
ocsp.usertrust.com 1 1 208.116.18.83 64.150.188.27 64.150.190.19 65.98.24.187 69.175.66.203 69.175.66.219 174.133.236.131 174.133.251.251 208.77.208.79 208.77.208.82 208.116.13.251
yahoo.com 2 1 67.195.160.76 209.191.122.70 69.147.125.65 98.139.240.22 76.13.6.132 76.13.6.31 98.139.240.23 98.139.241.94 209.191.92.114 68.142.230.52 216.115.98.107 216.115.98.124 98.139.63.61 98.136.70.45 74.6.238.254 98.137.220.33 206.190.60.37 68.180.206.184 74.6.1
www.apple.com 3 1 23.1.77.15 184.86.157.15 96.16.173.15


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎09-26-2008

Re: Ipad and Captive Portal Problem

Sadly, I'm still running 3.4.4.3, so I won't be able to do that exactly ...
but we're using the same sort of approach to allow that traffic through
(and manually updating the netdestination list). I had been hoping to
exploit the redirection capabilities to:

not pass needless traffic and
not pass unwanted traffic (since Akamai hosts a LOT of content
these days).

My last "trick" method is one that I'm not really willing to try given that
my student population returns tomorrow ... but I had t...





Occasional Contributor II
Posts: 16
Registered: ‎12-14-2010

Re: Ipad and Captive Portal Problem

I can confirm this works for iPad2 - putting in www.apple.com exception on the guest logon role. The iPad2 now shows the wireless icon pre-CP authentication. It no longer launches the "crippled" Safari browser to display the CP. Now when you launch Safari the Aruba CP is displayed inline, with no windows opening and closing.

One caveat I have discovered is that this now breaks the functionality of an app that requires network connectivity automatically launching the CP and then closing it after authentication. i.e. If I launch Flipboard with this workaround in place, it presents a connection error (when I am still in the guest logon role). Before, when the CP randomly works and randomly doesn't, the "crippled" browser displaying the CP would pop-up.

I assume this is because with the workound the iPad2 can now reach http://www.apple.com/library/test/success.html and doesn't think you need to popup a CP. Essentially - it's one problem solved and a new one created :)
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Ipad and Captive Portal Problem

okay.

Does flipboard work AFTER you login, or no?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: