Controller Based WLANs

What config on Aruba is needed to Bypass Apple Captive Network Assistant when external CP using Amigopod is done

Aruba Employee

Question

The Apple Captive Network Assistant (CNA) feature is an overlay that appears and prompts users automatically to login to the detected captive portal network without the need to explicitly open a web browser. This type of login is useful on mobile devices where many of the common applications are not browser-based and these applications would otherwise fail to connect without the successful browserbased authentication. Examples of these nonbrowser-based applications are email, social networking applications, corporate VPNs, and media streaming.

Answer

The Apple Captive Network Assistant (CNA) feature is an overlay that appears and prompts users automatically to login to the detected captive portal network without the need to explicitly open a web browser. This type of login is useful on mobile devices where many of the common applications are not browser-based and these applications would otherwise fail to connect without the successful browserbased authentication. Examples of these nonbrowser-based applications are email, social networking
applications, corporate VPNs, and media streaming.
 
The Apple operating systems detect the presence of a network that has captive portal enabled by attempting to request a web page from the Apple public website. This HTTP GET process retrieves a simple success.html file from the Apple web servers and the operating system uses the successful receipt of this file to assume that it is connected to an open network without the requirement for captive portal authentication.
If the success.html file is not received, the operating system conversely assumes that a captive portal is in place and presents the CNA automatically to prompt the user to perform a web authentication task. When the web authentication has completed successfully, the CNA window is closed automatically, which prevents the display of any subsequent welcome pages or redirecting of the user to their configured home page. If the user chooses to cancel the CNA, the Wi-Fi connection to the open network is dropped automatically, which prevents any further interaction via the full browser or other applications.

Here an example of External Captive portal from Amigopod is used


The CNA can be identified easily by the lack of a URL bar at the top of the screen and typical menu bar items. For many customers, this behavior of their Apple wireless devices will be acceptable and a great usability enhancement for their user community. However for some guest access or public access designs, the use of this CNA and the lack of ability to control the entire web authentication user experience are not desirable. For these customer scenarios, Amigopod has developed a method of bypassing the display of the CNA on the Mac OS X Lion or iOS devices. The main driver for this implementation is to restore the ability to control the user experience and display post-authentication welcome pages or redirect the Wi-Fi users to their originally requested web page.

Configuration of CNA bypass
In a typical External Captive Portal deployment integrating with an ArubaOS controller, the captive portal profile is configured to redirect all unauthenticated users to the external captive portal page hosted on External Server. 

aaa authentication captive-portal "guestnet"

default-role auth-guest
redirect-pause 3
no logout-popup-window
login-page http://10.169.130.50/Aruba_Login.php
welcome-page http://10.169.130.50/Aruba_welcome.php
switchip-in-redirection-url

The captive portal profile is configured to redirect all unauthenticated users to the external captive portal page.

Amigopod has implemented a new embedded URL within the portal configuration that is designed to address the issue of bypassing the mini browser discussed previously. This new page is available on the following URL:
http://<Amigopod IP or FQDN>/landing.php/
 
The new web page includes the logic to detect the presence of an iOS device or Mac OS X Lion machine being redirected as part of the captive portal configuration on an Aruba controller. If these devices are detected, their initial request to the Apple web site is served locally from the Amigopod, which emulates the environment of an open connection to the Internet. When the response from the Apple web site is emulated, the iOS device or Mac OS X machine no longer initiates the CNA and the user can launch their local browser manually as desired.
 
Now that the devices are able to open the local browser, any attempt to access the Internet is redirected again to the Amigopod. This new function differentiates between this web browser request and the previous Captive Network Assistant request and forwards the session onto the configured Amigopod Web Login page.

Amigopod can host multiple Web Login pages, so a simple method has been provided to configure the Web Login page that should be used without requiring any additional configuration on Amigopod. This definition of the Web Login page simply can be specified as part of the captive portal profile configuration on the Aruba controller.

The need to bypass this CNA solution for prompting users to perform a web authentication task is driven largely by the customer design and need to control the user experience as guest or public access users authenticate to the network.

By enabling authentication that is based on the client web browser, this solution enables a fully customized web login experience to be developed and presented through the Amigopod portal options.
Version history
Revision #:
1 of 1
Last update:
‎06-10-2014 12:25 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.