Security

I just upgraded a 3600 controller to 6.2.1.2. We have a guest access where we use our own user acceptance page. Once the user clicks an "Agree" button they are redirected to our home page. Apple iPads and iPhones on IOS 7 are not redirecting to the home page. The user acceptance page just comes back. The user will eventually connect to the guest network after about a minute. This doesn't happen on IOS 6 devices or Androids or laptops. Has anyone seen anything like this. Any help would be appreciated.

dglav60 wrote:

I just upgraded a 3600 controller to 6.2.1.2. We have a guest access where we use our own user acceptance page. Once the user clicks an "Agree" button they are redirected to our home page. Apple iPads and iPhones on IOS 7 are not redirecting to the home page. The user acceptance page just comes back. The user will eventually connect to the guest network after about a minute. This doesn't happen on IOS 6 devices or Androids or laptops. Has anyone seen anything like this. Any help would be appreciated.

IOS 6's CNA (Captive Portal Network Assistant) breaks the ability to redirect a user to an external home page.  In ArubaOS 6.1 and 6.2..x we worked around it by allowing traffic to *.apple.com.  IOS7 randomizes the URL that the traffic is sent to so this is no longer possible.  ArubaOS 6.3.1.0 and above have the CNA bypass feature in the Captive Portal authentication profile that identifies this random URL and allows the proper redirect.

Long Story short, for now you would need to upgrade to ArubaOS 6.3.1.0 to gain this capability.

Thanks for the info Colin. Do you know of any fixes coming down the road for version 6.2. My hand are kind of tied when its comes to upgrading firmware. We have medical devices that are FDA controlled and the vendor has to validate the firmware before we can upgrade.

---

@dglav60 wrote:

Thanks for the info Colin. Do you know of any fixes coming down the road for version 6.2. My hand are kind of tied when its comes to upgrading firmware. We have medical devices that are FDA controlled and the vendor has to validate the firmware before we can upgrade.

---

Not that I know of.  If there is an outside chance that the company uses clearpass for guest access, the CNA bypass is built into the latest ClearPass, as well...

If you go to the support site and request it using the ideas portal, they will know that there is interest...

On a sidenote - until you can upgrade to 6.3.x you have the option of adding apple.com to allowed sites in the logon role. That does the trick of not triggering CNA - since the device is trying to reach http://www.apple.com/library/test/success.html (I believe thats the correct URL). Of course - sideeffect is apple.com is allowed without registration ;)

---

@jsolb wrote:

On a sidenote - until you can upgrade to 6.3.x you have the option of adding apple.com to allowed sites in the logon role. That does the trick of not triggering CNA - since the device is trying to reach http://www.apple.com/library/test/success.html (I believe thats the correct URL). Of course - sideeffect is apple.com is allowed without registration ;)

 

---

if i understand the situation correctly that does NOT help. apple changed the way CNA works in iOS 7 and it uses several more hosts / URLs now.

---

@boneyard wrote:

if i understand the situation correctly that does NOT help. apple changed the way CNA works in iOS 7 and it uses several more hosts / URLs now.

Boneyard,

It will work if you use Clearpass with the IOS7 patch using the landing.php

Hello,

I have AOS 6.3.1.1 and still have some issuse with CNA:

"Bypass Apple CNA" is DISABLED

-There is no automatically slide up of CP (all iPad iOS 7.04) - iPhone works fine. 

"Bypass Apple CNA" is ENABLED

-There is no automatically slide up of CP (all iPad iOS 7.04) - There is no automatically slide up of CP even on iPhone. 

I'm not sure that this feature is helping att all. Or?

We have a local Aruba deployment for a multi-national company that uses AOS 5.0.4.14 at all sites and we have been denied permission to upgrade the AOS past 5.0.4.x.

Everything was working great until the company iPads were upgraded to 7.0.4 and now the Captive Portal splash screen does not appear.  It does appear for Windows clients.

Is the only way to get the Captive Portal working with iOS 7.0.x clients to upgrade the AOS to a 6.3.1.x version?

---

@crowdie wrote:

We have a local Aruba deployment for a multi-national company that uses AOS 5.0.4.14 at all sites and we have been denied permission to upgrade the AOS past 5.0.4.x.

 

Everything was working great until the company iPads were upgraded to 7.0.4 and now the Captive Portal splash screen does not appear.  It does appear for Windows clients.

 

Is the only way to get the Captive Portal working with iOS 7.0.x clients to upgrade the AOS to a 6.3.1.x version?

---

For now, yes, unless the customer uses ClearPass for guest access.  I would check with support to see if there is another workaround.

To clarify, if the captive portal was already working on ArubaOS 5.x, it should continue working, even if the IPAD was upgraded to 7.x.  The CNA (Captive Network Assistant) should still pop ul and work.  If it does not work, you should open a support case.  There are specific things like Onboarding, and redirecting the user to a specific URL after Captive Portal authentication that will NOT work on ArubaOS 5.x due to the way the CNA operates.

Hi,

Here comes workaround that worked for us. We have company certificate as default certificate for CP - when I changed to "Default" (factory certfificate) everything worked fine.

So right now we try to figure out what is wrong with our certificate.

Aruba-controller: 2x7220

AOS: 6.3.1.1

Hello Collin

This bypass Apple Captive network assistant exist in Instant AP IOS??? im trying to look for it but i cannot find it..

If not, it wil be coming in the new release of Isntant?

Nightshade1,

I don't see anywhere that it does.  If instant is integrated with ClearPass guest, the landing.php can be used to leverage that...