Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

IOS 5.1 ipad Apple CNA issues

This thread has been viewed 0 times

  • 1.  IOS 5.1 ipad Apple CNA issues

    Posted Apr 02, 2012 07:52 PM

    Hello,

     

    so I have this problem.. 

    Aruba setup is AOS 6.1.3, Clearpass 3.7 and I'm already using the "http://<clearpass-ip>/landing.php/login.php" trick..


    We got compaints from guest users with IOS devices which was not able to complete the login procedure for the guest wifi. This is a fairly simple self-registration with interstitial advertisement movie. Some guest users complained they were unable to play the movie, and thus not able to complete the login.

     

    My testing using IOS 4.3.5 iPad and iPhone showed that it worked excellent - every time. I registered, saw the movie and was re-directed once it played through and could login in and surf internet afterwards. 

     

    So then I upgraded my lab-iPad to latest IOS release 5.1 and then tested again. This time I got the CNA and within CNA the movie is unable to load and thus unable to complete login - since I've removed the Skip button to force users to watch it through.

     

    After numerous hours troubleshooting I'm at a loss of what to do.

     

    A few points worth mentioning

    * I'm aaa user deleting'ing in between each connection-attempt

    * Cookies and Javascript are enabled/set to always

    * I have done network factory reset on the iPad, cleared cache etc.

    * The SSID name consists of three words with spaces

    * adding apple.com to the whitelist for guest-logon role solves the problem, but I rather not open up for this...

    * Changing the name of the SSID removes the problem (??!!)

     

     

    This last part here has me all confused. I tried creating a totally new set of profiles to complement a new ssid profile, but when I enter the same SSID name - the CNA pops back up on connection.

     

    Any tips on how to troubleshoot this thing?



  • 2.  RE: IOS 5.1 ipad Apple CNA issues

    Posted Apr 02, 2012 09:04 PM

    Hi John,

     

    Any chance you can provide the details of the oriignal SSID name (the one that triggers the CNA) and the new one that works as expected without the CNA. I would like to compare the length and characters used in these SSID names and the notes from another case that might be related.

     

    Rgds


    Cam.

     



  • 3.  RE: IOS 5.1 ipad Apple CNA issues

    Posted Apr 03, 2012 03:06 AM

    Hi Cam,

     

    Sendt you a pm with the ssid names, but if you want all the details I can open a TAC case for it.

     

    I checked "show user-tabel ip ..." for each SSID I tried, and the only difference I see there is Device Type.

    With CNA triggered I get this:

    Device Type: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B176

     

    Without CNA I get this:

    Device Type: server-bag [iPhone OS,5.1,9B176,iPad2,2]

     

     



  • 4.  RE: IOS 5.1 ipad Apple CNA issues

    Posted Apr 03, 2012 08:22 AM

     

    I replicated this in our lab environment and got the same issue there. Totally different ssid name so I'm thinking that is a dead-end, and try to verify if landing.php is able to handle the IOS 5.1 update from march 7th.

     

    I did verify that the fix works with the IOS 4.3.5, but I don't have access to an iPad with 5.0.x to verify if my lab works with that version. 



  • 5.  RE: IOS 5.1 ipad Apple CNA issues
    Best Answer

    Posted Apr 04, 2012 04:22 PM

    Hi John,

     

    We have figured out what is going on in iOS 5.1. It turns out if you have an SSID name with a space or other character that needs to be escaped for URL encoding this version of iOS gets a but loopy based and double URL encodes the URL that is returned as part of the 302 redirect from the controller.

     

    Please work with the TAC as they have a tested workaround and we will patch Amigopod and its CNA Bypass to accommodate this anomaly in iOS 5.1 moving forward.

     

    Rgds

     

    Cam.



  • 6.  RE: IOS 5.1 ipad Apple CNA issues

    Posted Apr 19, 2012 08:35 AM

    We are experiencing this also but I haven't looked into it yet -- thanks for the info.  Is this related to the URL encoding bug (based on SSID length) in 6.1.3.0 that causes certain Blackberries to not receive the captive portal landing page?

     

    I'm wondering if we should wait for 6.1.3.2 which fixes the URL encoding issue and see whether that will fix this issue also.  We have a large iPad session next week so a quick fix might be worthwhile -- what is involved with the patch for Amigopod proposed here? 

     

     

    Thanks,

    Bryan

     

     

     



  • 7.  RE: IOS 5.1 ipad Apple CNA issues

    Posted Apr 19, 2012 06:26 PM

    Bryan,

     

    The patch to accomodate the change in iOS 5.1 will be available by the end of the month in our 3.9 release of Amigopod. In the meantime, the Aruba TAC can assist in implementing the patch given remote access to your deployment.

     

    Rgds


    Cam



  • 8.  RE: IOS 5.1 ipad Apple CNA issues

    Posted Apr 23, 2012 04:21 AM

     

    To hotfix this TAC needed remote control to do some programming in the landing.php file. I'd rather wait for the permanent fix so in the meantime I've added apple.com to the walled garden whitelist.

     

    A note - it's just not the SSID length in combination with space cause I just changed just one letter and that solved the issue.