Security

We recently deployed a captive portal using Aruba controller built-in feature and just found an issue that some of our MacBook or iMack have issue with captive portal.  The sympton is that login page doesn't display and times out.  

What makes it ugly to troubleshoot is it only happens on some devices.  We tested about 10 Macbooks and  two of them not good.  I just wonder if people here have similar issue.   None of Windows or other mobile devices have issues so far.

thanks,

Yong

Please take a look at the article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1680 and see if it applies to you.

Thanks for the quick response. 

I followed the article and added apple.com to initial role allow list but still the same.  The login page failed to load with information: the connection was interrupted.   So far no problem with iPhone and it seems only happening on OS 10.7 and up.

  If no one else has thesimilar problem, it has to be my configurations.  

There are a number of requirements with that solution:

- you need ArubaOS 6.1.x and above

- You need to turn on DNS resolution on your controller and test it (type "ping www.yahoo.com" on the controller commandline to know that it is working.

- You neet to create the apple.com netdestination and add it to your initial role

Please let me know if you have done all three...

I figured it out (at least I think).  After noticing that keychain froze  or corrupted when it failed to connect,   I reinstalled certicate and immediate CA on all my controller  following this thread and seems to fix all the Mac issus.  

http://community.arubanetworks.com/t5/Campus-WLAN-and-High-Density-Wi/Installing-server-certificate-and-all-the-intermediate-chain-for/td-p/65034/page/2

My explanation is OS X doesn't play well when certificate is not validated by browser or OS.

Thanks for your help,

Yong

Controller = Aruba 3400

OS= 5.0.4.6

MAC OS X 10.8.5 12F45, Safari 6.0.5

Default certificate in Aruba 3400 (OS 5.0.4.6) was expired on 11/21/2013.

Therefore, we purchased Verisign Server Certificate, and uploaded the server certificate for Captive Portal.

Yesterday, we experienced a problem.

MAC OS X 10.8.5 12F45, Safari 6.0.5 could not get Captive Portal Login screen.

I researched Airheads and other web, and figure out two requirements to make MAC OS X work for Captive Portal with OS 5.0.4.6.

1. MAC OS X client requires to access us-courier.push-apple.com, cn1.redswoosh.akadns.net, e3191.dscc.akamaiedge.net, and other Apple.com related website PRIOR to the CaptivePortal Login screen.

2. Refer to the Airheads post shown below, purchased server certificate should include intermediate-Trust CA and Root Trust CA, to make MAC OS X work.

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Installing-server-certificate-and-all-the-intermediate-chain-for/td-p/65034/page/2

Actions for 1

I captured a packet trace by selecting MAC OS X laptop by wireless MAC address.

From Controller UI, Monitoring -> Controller -> Clients. Enter the MAC address and click on Search.

Click on the radio button to choose the laptop and click on Packet Capture.

Enter the IP address of target pc (The pc which has Aruba version of Wireshark installed) and match the captured-packet transport UDP Port (Default 5555) with Aruba-Version of Wireshark in the target pc. Click Start to start captured-packet transfer.

On target pc, start Aruba-version of Wireshark with UDP-5555 Interface selected.

(Note: To make above Packet Capture work, you need to add one policy in ap-acl, so that UDP Packet 5555 can go through from AP to Ethernet LAN.

ip access-list session ap-acl
  any any svc-gre permit
  any any svc-syslog permit
  any user svc-snmp permit
  user any svc-http permit
  user any svc-http-accl permit
  user any svc-smb-tcp permit
  user any svc-msrpc-tcp permit
  user any svc-snmp-trap permit
  user any svc-ntp permit
  user   alias controller svc-ftp permit
  any any udp 5555 5556 permit  <== Add this policy

What you can see in the Wireshark trace is IEEE 802 and LLC Packets. When LLC Header is attached, Wireshark does not decode IP and TCP Header after the LLC Header. For my case, IP Header (Starts from x'45') is at x'0024' in the packet, and source/destination IP addresses are at x'0030-0033' (Source IP) and x'0034-0037'(Destination IP). For example, if you can read x'0034-0035' as x'0a 0b 0c 0d', the destination IP address is "10.11.12.13".

I created a policy APPLE and added those IP subnets:

ip access-list session APPLE
  user network 208.14.0.0 255.255.0.0 svc-http permit
  user network 208.73.0.0 255.255.0.0 svc-http permit
  user network 208.14.0.0 255.255.0.0 svc-https permit
  user network 208.73.0.0 255.255.0.0 svc-https permit
  user network 96.17.0.0 255.255.0.0 svc-http permit
  user network 96.17.0.0 255.255.0.0 svc-https permit
  user network 69.31.0.0 255.255.0.0 svc-http permit
  user network 69.31.0.0 255.255.0.0 svc-https permit
  user network 23.3.0.0 255.255.0.0 svc-http permit
  user network 23.3.0.0 255.255.0.0 svc-https permit
  user network 23.195.0.0 255.255.0.0 svc-http permit
  user network 23.195.0.0 255.255.0.0 svc-https permit

And apply this APPLE policy in guest-logon as shown below.  logon-control assigns DHCP IP Address, thefore I think APPLE policy should be after logon-control and before captiveportal.

user-role guest-logon
 captive-portal "default"
 session-acl logon-control
 session-acl APPLE
 session-acl captiveportal

Apply and Save configuration.

Actions for 2

I included Intermediate-CA and Root-Trust CA after the purchased certificate.

The trust structure of the certificate is:

Verisign (Root Trust CA)

    verisign class3 Secure Server CA G3 (Intermediate CA)

        xxxxx.xxxxx.xxxxxx (Purchased Certificate)

and I placed those three certificate on Wordpad, and saved it with xxxx.cer filename. 

-----BEGIN CERTIFICATE-----

<Purchased Certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

verisign class3 Secure Server CA G3 certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Verisign certificate

-----END CERTIFICATE-----

On Controller UI screen, Configuration - Management - Certificates, upload certificate shown below:

Certificate name :

Certificate Filename:

Certificate Format PEM

CertificateType ServerCert

After the certificate is uploaded, switch this certificate for CaptivePortal.

With this Action 1 and Action 2, despite of the 5.0.4.6 controller level, Captive portal worked with MAC OS X 10.8.5 12F45 and

Safari 6.0.5.

X 10.8.5 12F45