Security

Reply
Contributor II
Posts: 43
Registered: ‎12-14-2011

I don't want to bypass CNA!

[ Edited ]

I've spent ages with customers before trying to bypass Apple's CNA but today I am with a customer who wants the CNA to pop up and I cant get it to happen!

 

All captive portal is set up, bypass CNA is off in the CP Profile as well as in Clearpass. There are no additional allows in the firewall except to CPPM and also one to allow access to CPPM via an external link (this is required by the set up here due to the way the guest VLAN is protected from the internal network). There is no Apple whitelisting at all.

 

Android and Windows devices all work correctly with their respective popups but CNA will not work.

 

Using CPPM v6.0 (although patching to 6.1 as I write this) and AOS 6.4.2.1. iPhone is on OS 7.2

 

Any ideas of where else I should look?

 

Cheers

 

Davey

Guru Elite
Posts: 21,040
Registered: ‎03-29-2007

Re: I don't want to bypass CNA!

Make sure you don't have "landing.php" at the end of your ClearPass URL :  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Not-getting-the-Apple-Captive-Network-Assistant-CNA-anymore/m-p/151014/highlight/true#M10906



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: I don't want to bypass CNA!

Tried it with and without landing.php. No joy.

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: I don't want to bypass CNA!

Just to point out CPPM version 6.4.1, not 6.1!

Guru Elite
Posts: 21,040
Registered: ‎03-29-2007

Re: I don't want to bypass CNA!

Please publish your "logon" acl for your user:

 

show rights <role>



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: I don't want to bypass CNA!

VH-Aruba-1) #show rights Customer-Guest-PreAuth

Derived Role = 'Customer-Guest-PreAuth'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 68/0
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = CNGuest-CP-Profile

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                                Type     Location
--------  ----                                ----     --------
1         global-sacl                         session
2         apprf-customer-Guest-PreAuth-sacl  session
3         logon-control                       session
4         AllowExternalCPPM                   session
5         AllowCPPM                           session
6         captiveportal                       session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-Customer-Guest-PreAuth-sacl
----------------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
AllowExternalCPPM
-----------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    83.244.191.151  svc-https               permit                           Low                                                           4
2         user    83.244.191.151  svc-http                permit                           Low                                                           4
AllowCPPM
---------
Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    Clearpass    svc-http                permit                           Low                                                           4
2         user    Clearpass    svc-https               permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

Allow CPPM allows access to the clearpass VIP.

Guru Elite
Posts: 21,040
Registered: ‎03-29-2007

Re: I don't want to bypass CNA!

It looks fine.  You might want to check the Apple forum so that you can get telemetry on if the CNA is triggered in IOS and why.  There is definitely a log on MAC OSX.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: I don't want to bypass CNA!

Goddam apple devices. Forgot the network and tried again and now it works.

 

See here:

 

https://discussions.apple.com/message/25443945#25443945

Search Airheads
Showing results for 
Search instead for 
Did you mean: