Security

Reply
Occasional Contributor II

Apple iOS 11 Devices fail to access (Captive) Portal

Hello,

 

we recently updated our Instant Access Antennas and the ClearPass Appliances to the latest builds. We are running a Guest WebPage for client access which is working fine - just new Apple Devices running IOS11 are not connection to the public SSID for Guest Networks.

Of course I've read the hints concerning the SHA-1 changes on Apples new IOS, but as we just updated our appliances, the certs are self signed on SHA-256 Certs.

 

Now - we want to put a public cert on all Instant Controllers, but I'm not sure wich CN or Details we should add to the CSR.

 

Currently, the CN = setmeup.arubanetworks.com as the default Value.

which cn can we use as the instant controller is kind of dynamic. Where can we lookup the hostname to choose the cert name for?

 

many thanks and br

Patzed

Guru Elite

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Use something generic like network-login.domain.xyz. Use the same certificate across all of your controllers/VCs.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Apple iOS 11 Devices fail to access (Captive) Portal

thanks for the fast reply.

 

so there is no need to assign any SAN and/or IPs for this cert?

I use to deliver certs to webservers, but then the CN has to match the servers IP/DNS Name, this can be ignored for the portal?!

 

2nd Question:

Can you confirm the new "state" that iOS 11 Devices are unable to connect to a non protected wifi if there is no official cert in place? The same Portal is working with iOS 10.3 and SHA-256 is in place..

 

br and thanks

Patzed

 

 

Guru Elite

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Correct. The name can be generic as the controller/VC will intercept requests for it. The CA should automatically add the CN as a SAN. IPs are not permitted in public CA-signed certificates.

 

I'm not sure about iOS 11, but a public CA-signed certificate should always be used, regardless of OS version.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Thanks again, 

 

sure - the signed cert should always be the preferred solution. I just wondered which type of certificate I need to upload?

 

When I logon to the guest portal via notebook, the certificate is shown as the local webserver-gui certificate, but I cannot verify this via the iphone. I guess I can just option/type:

 

-> Captive-Portal-Server -> X509 with passphrase not the option Default "Web UI Server Certificate" ?

 

br

Patzed

Guru Elite

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Occasional Contributor II

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Having simular captive portal issues with our 7030.  We are using 384 bit ECDSA certs signed with SHA384 on a private CA server for our Captive Portal for Guests and BYOD.  From what I am reading above, in order for IOS 11 to connect to our captive portals we now need public certificates?  No exceptions or work arounds.  Even if I make the CA public facing with OCSP.  Thanks. 

Guru Elite

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Yes, you absolutely need a public CA-signed certificate for captive portal redirection and the ClearPass HTTPS cert for guests and Onboard. That has always been a requirement.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Apple iOS 11 Devices fail to access (Captive) Portal

Hi there!

 

I've got some instant-style Aruba IAP-205s that are also not letting iOS 11s in (it claims the password is incorrect, whenever anyone tries username/password-style authentication).  I gathered instructions all over the web (especially from these boards, which are terrific) and uploaded a public-CA-signed PEM file as a Captive Portal certificate, and changed the Captive Portal URL (which we don't really use, nobody ever navigates there, previously its URL was just /) to match the arbitrary URL I used for the SSL certificate.

 

But, of course, in a browser it's still coming up as insecure when I log into the administrative console, which is still at https://instant.arubanetworks.com:4343/, since that doesn't match our certificate's new domain.  Should I be concerned?  How can I resolve this?

 

Thanks!

Guru Elite

Re: Apple iOS 11 Devices fail to access (Captive) Portal

You don't really need to worry about the admin UI.
If needed, add a DNS entry to match the name for the VC IP.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: