Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎03-09-2016

How to Make Apple Captive Portal Pop up for Apple Devices?

Hi, I am currently using Aruba Wireless Controller (7030) Aruba OS - 6.4.2.13 together with Clearpass 6.5.5.78974

 

Can I check what settings do I need to set up on the wireless controller or clearpass in order for the apple captive portal to appear whenever an apple user connect to the SSID meant for Guest?

 

(i.e. i do not want to open the browser, but i want the portal to appear automatically without going through the portal)

 

Thank you so much!

Sheen An

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

What is your initial role on the Aruba Controller?  Can you give us the output of "show rights <role>"?

 

Also make sure that "Prevent CNA" is not enabled on the ClearPass Side:  http://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Default.htm#Onboard/ConfigProvisioningWebLogin.htm?Highlight=prevent cna



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

What is your initial role on the Aruba Controller?  Can you give us the output of "show rights <role>"?

 

Also make sure that "Prevent CNA" is not enabled on the ClearPass Side:  http://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Default.htm#Onboard/ConfigProvisioningWebLogin.htm?Highlight=prevent cna



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎03-09-2016

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

Hi cjoseph

 

THANK YOU for your response.

 

I think my initial role is “Guest”. Here’s the output:

 

(7030-Primary) #show rights guest 

 

Derived Role = 'guest'

 Up BW:No Limit   Down BW:No Limit  

 L2TP Pool = default-l2tp-pool

 PPTP Pool = default-pptp-pool

 Periodic reauthentication: Disabled

 DPI Classification: Enabled

 Web Content Classification: Enabled

 ACL Number = 4/0

 Max Sessions = 65535

 

 Check CP Profile for Accounting = TRUE

 

Application Exception List

--------------------------

Name  Type

----  ----

 

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

 

access-list List

----------------

Position  Name              Type     Location

--------  ----              ----     --------

1         global-sacl       session  

2         apprf-guest-sacl  session  

3         ra-guard          session  

4         http-acl          session  

5         https-acl         session  

6         dhcp-acl          session  

7         icmp-acl          session  

8         dns-acl           session  

9         v6-http-acl       session  

10        v6-https-acl      session  

11        v6-dhcp-acl       session  

12        v6-icmp-acl       session  

13        v6-dns-acl        session  

 

global-sacl

-----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

apprf-guest-sacl

----------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

ra-guard

--------

Priority  Source  Destination  Service           Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------           -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    any          icmpv6 rtr-adv                 deny                             Low                                                           6        

http-acl

--------

Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-http               permit                           Low                                                           4        

https-acl

---------

Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-https               permit                           Low                                                           4        

dhcp-acl

--------

Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-dhcp               permit                           Low                                                           4        

icmp-acl

--------

Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-icmp               permit                           Low                                                           4        

dns-acl

-------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-dns               permit                           Low                                                           4        

v6-http-acl

-----------

Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-http               permit                           Low                                                           6        

v6-https-acl

------------

Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-https               permit                           Low                                                           6        

v6-dhcp-acl

-----------

Priority  Source  Destination  Service      Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------      -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-v6-dhcp               permit                           Low                                                           6        

v6-icmp-acl

-----------

Priority  Source  Destination  Service      Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------      -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-v6-icmp               permit                           Low                                                           6        

v6-dns-acl

----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         any     any          svc-dns               permit                           Low                                                           6        

 

Expired Policies (due to time constraints) = 0

 

 

Sheen An

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

I mean the role that your device gets before the captive portal.  If guest is your initial role, that is why the captive portal is not coming up.  The guest role is typically used for after a user is logged on.  Your inital role should be "logon" or if you used the wlan wizard it is typically "logon-<something".  Type "show rights" to see if here is a logon role.  The initial role is typically set in the AAA profile.

 

If the user is associated, type "show user-table verbose" to see the AAA profile that you would need to change the initial role to "logon".



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎03-09-2016

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

Hello!!

 

Thank you so much, here's the show rights for the logon role.

 

Up BW:No Limit   Down BW:No Limit 

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

DPI Classification: Enabled

Web Content Classification: Enabled

ACL Number = 98/0

Max Sessions = 65535

 

Check CP Profile for Accounting = TRUE

 

Application Exception List

--------------------------

Name  Type

----  ----

 

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

 

access-list List                                  

----------------

Position  Name                                           Type     Location

--------  ----                                           ----     --------

1         global-sacl                                    session 

2         apprf-IM-Guest-Logon-sacl                 session 

3         wlan-Guest-logon-control                  session 

4         wlan-Guest-allow-external-captive-portal  session 

5         wlan-Guest-allow-google-play              session 

6         wlan-Guest-captiveportal                  session 

 

global-sacl

-----------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

apprf-Guest-Logon-sacl

------------------------------

Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

wlan-Guest-logon-control

-----------------------------

Priority  Source  Destination  Service           Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------           -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    any          udp 68                         deny                             Low                                                           4        

2         user    any          icmpv6 rtr-adv                 deny                             Low                                                           6        

3         any     any          svc-icmp                       permit                           Low                                                           4        

4         any     any          svc-dns                        permit                           Low                                                           4        

5         any     any          svc-dhcp                       permit                           Low                                                           4        

6         any     any          svc-natt                       permit                           Low                                                           4        

wlan-Guest-allow-external-captive-portal

---------------------------------------------

Priority  Source  Destination                                    Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------                                    -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    wlan-Guest-allow-external-captive-portal  svc-http                permit                           Low                                                           4        

2         user    wlan-Guest-allow-external-captive-portal  svc-https               permit                           Low                                                           4        

3         any     10.3.16.58                                     any                     permit                           Low                                                           4        

wlan-Guest-allow-google-play

---------------------------------

Priority  Source  Destination                        Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------                        -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    wlan-Guest-allow-google-play  svc-http                permit                           Low                                                           4        

2         user    wlan-Guest-allow-google-play  svc-https               permit                           Low                                                           4        

wlan-Guest-captiveportal

-----------------------------

Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4        

2         user    any          svc-http                      dst-nat 8080                           Low                                                           4        

3         user    any          svc-https                     dst-nat 8081                           Low                                                           4        

4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4        

5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4        

6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4        

 

Expired Policies (due to time constraints) = 0

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

That is not the role.

 

Do this:

 

Associate a device to the captive portal.  Type "show user" and find that user and the user's role.  Type "show rights <user role>" and paste in that output..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎03-09-2016

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

Hi,

 

I changed my initial role and now it worked.

 

Here's the rights:

 

(7030-Primary) #show rights wlan-Guest-logon

Derived Role = 'wlan-Guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 106/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = Guest-IM-CP-prof

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wlan-Guest-logon-sacl session
3 wlan-Guest-logon-control session
4 wlan-Guest-allow-external-captive-portal session
5 wlan-Guest-allow-google-play session
6 wlan-Guest-captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-wlan-Guest-logon-sacl
--------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
wlan-Guest-logon-control
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 user any icmpv6 rtr-adv deny Low 6
3 any any svc-icmp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-dhcp permit Low 4
6 any any svc-natt permit Low 4
wlan-Guest-allow-external-captive-portal
---------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user wlan-Guest-allow-external-captive-portal svc-http permit Low 4
2 user wlan-Guest-allow-external-captive-portal svc-https permit Low 4
3 any 10.3.16.58 any permit Low 4
wlan-Guest-allow-google-play
---------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user wlan-Guest-allow-google-play svc-http permit Low 4
2 user wlan-Guest-allow-google-play svc-https permit Low 4
wlan-Guest-captiveportal
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

 

Wow, do you know what caused it to work?

It is working now with the captive portal popping up.

Occasional Contributor I
Posts: 6
Registered: ‎03-09-2016

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

Hi,

 

Thanks for the response and it is now working.

 

But can i check what is the thing in the wlan-logon role that made it work?

 

So in the future we can troubleshoot as well.

 

(And btw, I realise that after authenticating with clearpass, sometimes it stucks at the page attempting to login - then it doesn't direct to the default welcome page - any idea the reason it stucks at the "logging in..." page and does not go to the welcome page?)

 

Thank you so much community.

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: How to Make Apple Captive Portal Pop up for Apple Devices?

We would have to know the difference between what it was and what it is now, to understand what the problem was.

 

Why it is getting stuck is a difficult one.  You might have to open a case to get to the bottom of that.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: