Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Guru Elite

iOS 7 - Captive Portal

Looks like they changed the behavior of the captive network assistant check. If you have captive network assistant bypass turned on, you'll likely need to update your netdests.


There are two new destinations that it checks for:

 

www.appleiphonecell.com

captive.apple.com

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
14 REPLIES
Occasional Contributor II

Re: iOS 7 - Captive Portal

Tim,

I already have my certificate authority whitelisted to allow OCSP. What are the symptoms for the users if these destinations aren't whitelisted? Does Apple require additional destinations (in addition to the two you specified)?

Thanks,

Brad

 

Guru Elite

Re: iOS 7 - Captive Portal

Brad,

 

This isn't a certificate issue. It has to do with the captive network assistant and "faking" it out to think its connected while still being able to redirect to Onboard and other initial captive portals.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: iOS 7 - Captive Portal

Tim,

What does the user experience if the captive network assistant (I'm assuming this is a component of the Apple device) is not faked out to think it's connected?

Thanks,

Brad

 

Aruba

Re: iOS 7 - Captive Portal

If you are running ClearPass, they've issued an iOS 7 Captive Network Assistant fix; I first noticed it after applying Patch 1 to 6.2 if you are using the .../landing.php/... page method.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: iOS 7 - Captive Portal

And we are also adding this same logic to Instant and AOS on the controllers.  Apple's CNA is more "complex" and whitelisting a few specific URLs will no longer be sufficient.  They are rotating a few more URLs out there to figure this out.  However, our solutions will keep Guest registrations working.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos

Re: iOS 7 - Captive Portal

If whitelisting the URLs is not the best method any more, what is appropriate?  I am using the landing page trick, but my iOS 7 devices are still hitting the CNA, even with the iOS7 CP patch.  I would assume the landing page method only works if the device is attempting to access apple.com?  So what am I missing?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: iOS 7 - Captive Portal

There is also an option in the captive portal profile:

 

captive-portal-bypass.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: iOS 7 - Captive Portal

What version is required for this?  I heard it was in 6.2 but I don't have it as an option.  I'm on 6.2.1.3.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: iOS 7 - Captive Portal

I have it on 6.3.1.1 but I don't have it in 6.2.1.2
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: