Security

Reply
Super Contributor II
Posts: 390
Registered: ‎09-05-2012

CPPM and Onboard - Apple device issues

Hey,

 

We are in the process of setting up our wireless infrastructure. We are using CPPM ver 6.0.1 along with a Wireless Controller.

We were able to get Onboarding working for Android, and Windows devices.

 

When we finally got our hands on an iPad 2 to do some testing we discovered that we couldn't Onboard it. We then tested with an

older iPhone and we couldn't Onboard that either.

 

We are using self-signed certificates, with the CPPM Onboarding being the CA (I hope I am saying that correctly).

 

We are able to install the root CA into the iPad without issue, the step that comes after that is what fails.

When the Apple device attempts to install the profile it reports that the certificate for the profile is not valid: Profile Installation Failed - The server CERTIFICATE: "https://<servername>/guest/id/1/...." is invalid

 


I can only assume that we have done something wrong with the way we setup our Onboarding. Any ideas as to what that could be?

 

Any help would be greatly appreciated!

 

Cheers

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: CPPM and Onboard - Apple device issues

The issue you are running into is based on http/https. 

 

1. disable https on the L3/captiveportal profile on  the controller

2. disable https on CPGuest Home » Configuration » Authentication

3. change validate certificate in Home »  Onboard » Provisioning Settings ---- the last tab change validate to No

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: CPPM and Onboard - Apple device issues

[ Edited ]

Hey tarnold,

 

Thank you for your reply.

 

I follow what you are saying on point 2 and 3.

Point 3 we have done already as we ran into issues in the very beginning with Onboarding in general and we found

this option and disabled it.

 

Point 2, I will make the adjustment when I am back at the office tomorrow!

 

On point 1, should I select the option "Use HTTP for authentication" and then in the "Login page" field change it from https://<url to page> to http://<url to page>

 

I will make these changes though and report back!

 

Thank you very much!

Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: CPPM and Onboard - Apple device issues

Hey,

 

So we made the changes you suggested and all is working.

 

However, we now have a new issue with the iPad.

 

When we connect it to our Guest SSID (we use this SSID to Onboard as well) and we try and browse to a website, which then redirects the user to the Captive Portal, at this point the iPad disconnects itself from the Guest SSID.

 

We have a Custom Captive Portal that has links to all the different options for the users because we use our Guest SSID to do a lot of different things. On this Captive Portal we have a redirect java function that detects mobile devices and redirects them to a mobile site we designed. It appears that this redirection is causing the iPad to disconnect. This redirection works on all other non Apple devices.

 

I suspect this is not an Aruba issue, but it is an annoying issue nonetheless.

 

Cheers

Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: CPPM and Onboard - Apple device issues

[ Edited ]

Hey,

 

We were able to figure ou the issue with the iPad 2.

 

It wasn't anything to do with Aruba.

 

Apple does a check for Internet access using the following URL http://www.apple.com/library/test/success.html

 

Then one of two things were happening

 

  1. If the device was able to contact this URL then all was well and the iPad would stay connected to the SSID
  2. If the device was unable to contact this URL then the iPad would disconnect itself from the SSID

This only appears to happen if there is a Captive Portal between the iPad and the Internet.

 

In order to stop this from happening we setup our DNS with a special view for the guests which would resolve www.apple.com to one of our servers were we created the same page. The iPads now stay connected, the only downside is that any Guests will not be able to contact www.apple.com. But this way we don't need to keep a list of IP's where this Apple URL is hosted. they appear to host it with akamai, and each request almost always goes to a new IP.

MVP
Posts: 520
Registered: ‎05-11-2011

Re: CPPM and Onboard - Apple device issues

This sounds like an issue with CNA:
http://www.arubanetworks.com/wp-content/uploads/Amigopod-CNA-bypass-AppNote.pdf?repo=tech

Did you implement that?

I remember having to actually implement a walled garden for the logon role which gave access to apple.com..


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: CPPM and Onboard - Apple device issues

Hey jsolb,

 

After reading through the PDF it would appear that this is exactly the issue we were dealing with.

The behaviour is the same for sure!

 

We are going to have to give this a try.

 

We were looking at ways to provide the users access to apple.com from the initial Guest-Logon role

without granting them access to the entire Internet. We finally decided to essentially spoof apple.com with our own Internal DNS.

 

I myself am not very familar with setting up a walled garden but it might be something we look into. It might be more elegant then what we currently have in place.  

 

Thanks for the document it is much appreciated!

Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: CPPM and Onboard - Apple device issues

Hey,

 

Sorry I have an ther question pertaining to the Apple devices..

 

When they are in the process of being provisioned I noticed that in the Access Tracker of the CPPM their requests look totally different then that of Android and Windows devices.

 

An Anroid/Windows device includes:

Aruba-Mdps-Device-Name, Aruba-Mdps-Device-Product, Aruba-Mdps-Device-Udid, Aruba-Mdps-Device-Version

 

An iOS Device includes only:

Aruba-Port-Id

 

I can only assume this is because the process that the Apple devices take to Onboard is way different. But I suspect that we could have configured something wrong for the provisioning of the Apple devices.

 

Should I be seeing more Radius:Aruba attributes from the Apple devices?

Search Airheads
Showing results for 
Search instead for 
Did you mean: