Security

Reply
MVP
Posts: 470
Registered: ‎05-11-2011

IOS 5.1 ipad Apple CNA issues

Hello,

 

so I have this problem.. 

Aruba setup is AOS 6.1.3, Clearpass 3.7 and I'm already using the "http://<clearpass-ip>/landing.php/login.php" trick..


We got compaints from guest users with IOS devices which was not able to complete the login procedure for the guest wifi. This is a fairly simple self-registration with interstitial advertisement movie. Some guest users complained they were unable to play the movie, and thus not able to complete the login.

 

My testing using IOS 4.3.5 iPad and iPhone showed that it worked excellent - every time. I registered, saw the movie and was re-directed once it played through and could login in and surf internet afterwards. 

 

So then I upgraded my lab-iPad to latest IOS release 5.1 and then tested again. This time I got the CNA and within CNA the movie is unable to load and thus unable to complete login - since I've removed the Skip button to force users to watch it through.

 

After numerous hours troubleshooting I'm at a loss of what to do.

 

A few points worth mentioning

* I'm aaa user deleting'ing in between each connection-attempt

* Cookies and Javascript are enabled/set to always

* I have done network factory reset on the iPad, cleared cache etc.

* The SSID name consists of three words with spaces

* adding apple.com to the whitelist for guest-logon role solves the problem, but I rather not open up for this...

* Changing the name of the SSID removes the problem (??!!)

 

 

This last part here has me all confused. I tried creating a totally new set of profiles to complement a new ssid profile, but when I enter the same SSID name - the CNA pops back up on connection.

 

Any tips on how to troubleshoot this thing?

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: IOS 5.1 ipad Apple CNA issues

Hi John,

 

Any chance you can provide the details of the oriignal SSID name (the one that triggers the CNA) and the new one that works as expected without the CNA. I would like to compare the length and characters used in these SSID names and the notes from another case that might be related.

 

Rgds


Cam.

 

MVP
Posts: 470
Registered: ‎05-11-2011

Re: IOS 5.1 ipad Apple CNA issues

Hi Cam,

 

Sendt you a pm with the ssid names, but if you want all the details I can open a TAC case for it.

 

I checked "show user-tabel ip ..." for each SSID I tried, and the only difference I see there is Device Type.

With CNA triggered I get this:

Device Type: Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B176

 

Without CNA I get this:

Device Type: server-bag [iPhone OS,5.1,9B176,iPad2,2]

 

 

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 470
Registered: ‎05-11-2011

Re: IOS 5.1 ipad Apple CNA issues

 

I replicated this in our lab environment and got the same issue there. Totally different ssid name so I'm thinking that is a dead-end, and try to verify if landing.php is able to handle the IOS 5.1 update from march 7th.

 

I did verify that the fix works with the IOS 4.3.5, but I don't have access to an iPad with 5.0.x to verify if my lab works with that version. 

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: IOS 5.1 ipad Apple CNA issues

Hi John,

 

We have figured out what is going on in iOS 5.1. It turns out if you have an SSID name with a space or other character that needs to be escaped for URL encoding this version of iOS gets a but loopy based and double URL encodes the URL that is returned as part of the 302 redirect from the controller.

 

Please work with the TAC as they have a tested workaround and we will patch Amigopod and its CNA Bypass to accommodate this anomaly in iOS 5.1 moving forward.

 

Rgds

 

Cam.

Contributor II
Posts: 44
Registered: ‎04-06-2011

Re: IOS 5.1 ipad Apple CNA issues

We are experiencing this also but I haven't looked into it yet -- thanks for the info.  Is this related to the URL encoding bug (based on SSID length) in 6.1.3.0 that causes certain Blackberries to not receive the captive portal landing page?

 

I'm wondering if we should wait for 6.1.3.2 which fixes the URL encoding issue and see whether that will fix this issue also.  We have a large iPad session next week so a quick fix might be worthwhile -- what is involved with the patch for Amigopod proposed here? 

 

 

Thanks,

Bryan

 

 

 

Moderator
Posts: 150
Registered: ‎11-14-2011

Re: IOS 5.1 ipad Apple CNA issues

Bryan,

 

The patch to accomodate the change in iOS 5.1 will be available by the end of the month in our 3.9 release of Amigopod. In the meantime, the Aruba TAC can assist in implementing the patch given remote access to your deployment.

 

Rgds


Cam

MVP
Posts: 470
Registered: ‎05-11-2011

Re: IOS 5.1 ipad Apple CNA issues

 

To hotfix this TAC needed remote control to do some programming in the landing.php file. I'd rather wait for the permanent fix so in the meantime I've added apple.com to the walled garden whitelist.

 

A note - it's just not the SSID length in combination with space cause I just changed just one letter and that solved the issue.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: