Security

Reply
Highlighted
Aruba Employee

HTTPS Captive Network wifi disconnect

After upgrading Apple computers to macOS "High Sierra", the system disconnects if a captive portal system responds with HTTPS.

 

To work around this issue, configure the NAS (controllers and/or switches) to redirect using HTTP instead of HTTPS.

Secondly, if using ClearPass Guest as captive portal, disbable "Require HTTPS for guest access" in ClearPass Guest under CPG -> Configuration -> Authentication.

 

Note that the NAS login can still use HTTPS, so that credetails are posted securely into the NAS.

 

Apple is aware of the issue.

 

Aruba Employee

Re: HTTPS Captive Network wifi disconnect

Update on this issue:

It turns out that the CNA will disconnect from the WiFi in case the Captive Portal Server certificate is 'not trusted'.

The CNA only trusts certificates signed by any of the Trusted CAs listed ynder SystemRoots in the KeyChain.

Importing a CA into the Login KeyChain and manually set it to "trusted" is ok for normal browsers like Safari, but not for the CNA!

The latest MacOs update  apparently distrusted the CA we were using (StartCom CA) and this is why the issue appeared after upgrading to High Sierra.

 

If the Captive Portal server has a valid SSL certificate and signed by any of the CAs under SystemRoots, one can safaly redirect using https (and in the case of Clearpass can enforce guest access using https)

Re: HTTPS Captive Network wifi disconnect

Out of curiousity, could the initial redirect by an HTTP Web Page with a simple meta redirect that redirects to the actual HTTPS page? Not sure if this was tested or not.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Aruba Employee

Re: HTTPS Captive Network wifi disconnect

Problem really is the captive portal certificate-trust by the Captive Network Assistent (CNA). Regadless of redirection method (controller,  meta-redirect), it will disconnect from the WiFi as long as the CNA gets an un-trusted cerificate presented by the captive portal server.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: