Security

Hello i got this problem in which the apple devices has to register 2 times.

 

The is what happens

User gets the guest selft registration page

Input alll his data

The admin give him access

He click the log in botton

He gets  the captive portal again

He self register again and it works this time

 

 

This just happen the FIRST time the apple register in the captive portal..

If this device i delete it from the device endpoint repository, delete it also from teh client table of the controller, and register again, it has no issue

 

I dont know if the problem is the certificates, in that deployment we are using a certificate i signed with their CA and uploaded to their controller..  I did the request from the controller

I did not do this with the Clearpass, do i need to do this also with the clearpass in order to this not to happen?

Anyone got an idea why this is happening?

 

Cheers

Carlos

During the first attempt, do you see the request in the CPPM access tracker for that client? If yes and if it is a reject, then please check the access tracker alert message for more details.

i cant check right now... i dont have an apple device...

I notice that this happen when i get the certificate error. 

after you save the certificatre on the  apple device and you register again this wont happen... or at least thats what i see.

I dont know how to delete this certificate to reproduce the scanario...  I bealive the problem is that i need  a public certificate... ill try to get an apple device to show you the error....

 

 

Cheers

Carlos

Hello Vince

I have been doing more test and labs and i found  the fallowing

 

1-If i use the default certificate of the aruba controller, the selft signed one( i have to register twice the apple deivces)(it works fine with everything else, windows, android but apple has to register twice)

2-If i use  a certificate signed by my CA on the controller i still need to register twice apple devices)

3-IF i use a public certificate on the controller, everything works fine...

 

Im not sure but the difference seems that the public certificate has all the trust chain( Root Ca, Intemediate CA and the server certificate  in a .pem file.(i uploaded that to the controller)

 

The Selft signed certificate does not have that

The cert i used i did the request fromt he controller and signed it with my lab CA.( here i just got a root CA but i dotn have intermediate CA)

 

Does apple really need that?

What i know is that with the public cert seems to work just fine...

 

Any thoughs????

Anyone???

 

Cheers

Carlos

 

 

Hi Carlos,

 

If you are using captive portals always use public certificates, on CPPM and the controller. Apple devices require public certificates and it's difficult to bypass certificate warnings. If the certificate is not trusted Apple Captive Network Assistant (CNA) is also not working.

 

If you are in a lab environment it's possible to disable HTTPS and use HTTP. 

 

Regards, Willem

Hi Carlos,

 

When you used self signed cert on controller signed by your own CA, is that CA a trusted CA in your iOS device?

Of course not. Remenber those devices are supposed to be guest. They will never trust my i ternal CA. Maybe if they were ibternal users... but those are visitors

Cheers
Carlos