Security

Reply
MVP
Posts: 4,238
Registered: ‎07-20-2011

Macbook pro unable to access Guest registration page

 

We are currently using ClearPass (6.1.1.52552) for our guest solution and recently we been having issues with Macbook Pro are unable to reach the guest registration page.

 

Windows laptops, IOS and Android have no issues .

 

We have seen this accross OSX 10.6.x , 10.7.x and the latest 10.8.x.

 

We also the ACL under the role to allow http/https to *.apple.com but doesn't seem to work, but if allow everything the device is able to reach the internet with no issues.

 

Tried Installing the certs manually.

 

We have a 7210 controller running 6.2.1.2

 

Any ideas ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Macbook pro unable to access Guest registration page

[ Edited ]

You have to do "show datapath session table" and see what that macbook is doing.

 

Do you also have DNS setup correctly on that controller?  Can you type "ping www.apple.com" at the commandline of the controller and it works?

 

Optionally, if you are using ArubaOS 6.2 and above, you can use the "Bypass Apple Captive Network Assistant" option in the Captive Portal Authentication profile to do this, as well.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 344
Registered: ‎07-26-2011

Re: Macbook pro unable to access Guest registration page

Try turning off the OSCP check on the browser. You'll see in the datapath session it attempts to validate the certs before loading the captive portal.
ACMA, ACMP
If my post addresses your query, give kudos:)
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Macbook pro unable to access Guest registration page

(beta-7200-controller) #show  datapath session table 10.10.10.14


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
10.10.10.14     172.16.10.205   17   64290 53     0/0     0 0   1   tunnel 631  12   0         0          FSCI
10.10.10.14     129.64.5.31     6    49913 443    0/0     0 0   1   tunnel 631  19   0         0          SC
172.16.10.205   10.10.10.14     1    2205  0      0/0     0 0   1   tunnel 631  10   0         0          FYI
10.10.10.14     172.16.10.205   17   60365 53     0/0     0 0   1   tunnel 631  6    0         0          FSCI
172.16.10.205   10.10.10.14     1    2206  0      0/0     0 0   1   tunnel 631  f    0         0          FYI
10.10.10.14     129.64.5.31     6    49914 443    0/0     0 0   1   tunnel 631  19   0         0          SC
172.16.10.205   10.10.10.14     1    2196  0      0/0     0 0   1   tunnel 631  1a   0         0          FYI
172.16.10.205   10.10.10.14     1    2207  0      0/0     0 0   0   tunnel 631  e    0         0          FYI
172.16.10.205   10.10.10.14     1    2197  0      0/0     0 0   1   tunnel 631  18   0         0          FYI
172.16.10.205   10.10.10.14     1    2201  0      0/0     0 0   1   tunnel 631  14   0         0          FYI


172.16.10.205   10.10.10.14     1    2200  0      0/0     0 0   1   tunnel 631  15   0         0          FYI
172.16.10.205   10.10.10.14     1    2203  0      0/0     0 0   1   tunnel 631  12   0         0          FYI
172.16.10.205   10.10.10.14     1    2202  0      0/0     0 0   1   tunnel 631  13   0         0          FYI
172.16.10.205   10.10.10.14     1    2216  0      0/0     0 0   0   tunnel 631  5    0         0          FYI
172.16.10.205   10.10.10.14     1    2210  0      0/0     0 0   0   tunnel 631  b    0         0          FYI
10.10.10.14     173.194.73.147  6    49912 443    0/0     0 0   1   tunnel 631  1d   0         0          NCI
172.16.10.205   10.10.10.14     1    2217  0      0/0     0 0   0   tunnel 631  4    0         0          FYI
172.16.10.205   10.10.10.14     1    2211  0      0/0     0 0   0   tunnel 631  a    0         0          FYI
172.16.10.205   10.10.10.14     1    2208  0      0/0     0 0   0   tunnel 631  d    0         0          FYI
172.16.10.205   10.10.10.14     1    2218  0      0/0     0 0   0   tunnel 631  3    0         0          FYI


172.16.10.205   10.10.10.14     1    2209  0      0/0     0 0   0   tunnel 631  c    0         0          FYI
172.16.10.205   10.10.10.14     1    2219  0      0/0     0 0   0   tunnel 631  2    0         0          FYI
172.16.10.205   10.10.10.14     1    2215  0      0/0     0 0   0   tunnel 631  6    0         0          FYI
10.10.10.14     173.194.73.147  6    49910 443    0/0     0 0   1   tunnel 631  1e   0         0          NCI
172.16.10.205   10.10.10.14     1    2220  0      0/0     0 0   0   tunnel 631  1    0         0          FYI
172.16.10.205   10.10.10.14     1    2214  0      0/0     0 0   0   tunnel 631  7    0         0          FYI
172.16.10.205   10.10.10.14     1    2213  0      0/0     0 0   0   tunnel 631  8    0         0          FYI
172.16.10.205   10.10.10.14     1    2212  0      0/0     0 0   0   tunnel 631  9    0         0          FYI
10.208.67.16    10.10.10.14     6    8081  49912  0/0     0 0   1   tunnel 631  1d   0         0          FSI
10.10.10.14     108.160.162.98  6    49915 80     0/0     0 0   0   tunnel 631  6    0         0          FNC


10.10.10.14     172.16.10.205   1    2212  2048   0/0     0 0   0   tunnel 631  9    0         0          FCI
10.208.67.16    10.10.10.14     6    8081  49910  0/0     0 0   1   tunnel 631  1e   0         0          FSI
10.10.10.14     172.16.10.205   1    2213  2048   0/0     0 0   0   tunnel 631  8    0         0          FCI
10.10.10.14     172.16.10.205   1    2220  2048   0/0     0 0   0   tunnel 631  1    1         84         FCI
10.10.10.14     172.16.10.205   1    2214  2048   0/0     0 0   0   tunnel 631  7    0         0          FCI
10.10.10.14     172.16.10.205   1    2215  2048   0/0     0 0   0   tunnel 631  6    0         0          FCI
10.10.10.14     172.16.10.205   1    2209  2048   0/0     0 0   1   tunnel 631  c    0         0          FCI
10.10.10.14     172.16.10.205   1    2219  2048   0/0     0 0   0   tunnel 631  2    1         84         FCI
10.10.10.14     172.16.10.205   1    2208  2048   0/0     0 0   1   tunnel 631  d    0         0          FCI
10.10.10.14     172.16.10.205   1    2218  2048   0/0     0 0   0   tunnel 631  3    0         0          FCI


10.10.10.14     172.16.10.205   1    2217  2048   0/0     0 0   0   tunnel 631  4    0         0          FCI
10.10.10.14     172.16.10.205   1    2211  2048   0/0     0 0   1   tunnel 631  a    0         0          FCI
10.10.10.14     172.16.10.205   1    2216  2048   0/0     0 0   0   tunnel 631  5    0         0          FCI
10.10.10.14     172.16.10.205   1    2210  2048   0/0     0 0   1   tunnel 631  b    0         0          FCI
10.10.10.14     172.16.10.205   1    2202  2048   0/0     0 0   1   tunnel 631  13   0         0          FCI
10.10.10.14     172.16.10.205   1    2203  2048   0/0     0 0   1   tunnel 631  12   0         0          FCI
10.10.10.14     172.16.10.205   1    2200  2048   0/0     0 0   1   tunnel 631  15   0         0          FCI
10.10.10.14     172.16.10.205   1    2201  2048   0/0     0 0   1   tunnel 631  14   0         0          FCI
10.10.10.14     172.16.10.205   1    2207  2048   0/0     0 0   1   tunnel 631  e    0         0          FCI
10.10.10.14     172.16.10.205   1    2197  2048   0/0     0 0   1   tunnel 631  18   0         0          FCI


10.10.10.14     172.16.10.205   1    2206  2048   0/0     0 0   1   tunnel 631  f    0         0          FCI
10.10.10.14     172.16.10.205   1    2196  2048   0/0     0 0   1   tunnel 631  1a   0         0          FCI
10.10.10.14     172.16.10.205   1    2205  2048   0/0     0 0   1   tunnel 631  10   0         0          FCI
10.208.67.16    10.10.10.14     6    8080  49915  0/0     0 0   1   tunnel 631  6    0         0          FS
10.10.10.14     172.16.10.205   17   62965 53     0/0     0 0   1   tunnel 631  12   0         0          FSCI

 

cjoseph, 

 

Unfortunately the controller can't do DNS lookup, but I have confirmed that any other devices are able to reach it with no issues.

 

I will check on the Bypass option.

 

zalion0,

 

I wil try turning off the OCSP validation 

 

Thanks guys for quick replies , will update once I have apply those.

 

Vic

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Macbook pro unable to access Guest registration page

I was able to get it going with turn ocsp off in the keyaccess but I would like to get it going without doing so I'm planning to try cjoseph option at some point today
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Macbook pro unable to access Guest registration page

You cannot allow *.apple.com to get around it.  You have to find out what the OCSP URL of your Web Certificate is and allow http and https to it for a permanent solution to this.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Macbook pro unable to access Guest registration page

Will give that try too.

A while back we added all the ocsp servers to be allowed but maybe it's trying to reach another one not on the list
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: