Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Apple CNA Issues

This thread has been viewed 24 times

  • 1.  Apple CNA Issues

    Posted Aug 07, 2018 12:08 PM

    Hi All

     

    I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.

    Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.

     

    Dave



  • 2.  RE: Apple CNA Issues

    EMPLOYEE
    Posted Aug 07, 2018 12:15 PM
    @dave1607 wrote:

    Hi All

     

    I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.

    Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.

     

    Dave

    It sounds as thought you're captive portal connection is being cached and so your client device is getting moved to the authenticated role automatically.



  • 3.  RE: Apple CNA Issues

    Posted Aug 09, 2018 10:00 AM

    I don't think it's being cached as when I do "show user-table" the client has the initial role, and the issue is still there after "aaa user delete mac <mac>".

     

    Dave



  • 4.  RE: Apple CNA Issues

    EMPLOYEE
    Posted Aug 09, 2018 10:11 AM

    If the client is still in the initial role, then it doesn't sound as though captive portal authentication is working or I'm misunderstanding the process flow you're testing.

     

    Yes, after deleting the user entry, the device should end up back in the initial role, so that behavior is consistent. What links are users trying to navigate prior to completing captive portal auth?



  • 5.  RE: Apple CNA Issues

    Posted Aug 09, 2018 10:24 AM

    Sorry, should have explained the process.

    User associates and MAC auths against Clearpass, gets rejected so retains the Initial / captive portal role. They are redirected to the Clearpass captive portal which opens the Apple CNA. As soon as the CNA opens you see the "cancel" button change to "done" prior to the user doing anything. My understanding is that the button only changes once the device can access captive.apple.com, however the captive portal role does not allow any access to captive.apple.com, I've even tried adding an explicit deny for apple.com but this didn't make any difference.

     

    Thanks

     

    Dave



  • 6.  RE: Apple CNA Issues

    EMPLOYEE
    Posted Aug 09, 2018 10:36 AM

    Definitely strange. I agree, the CNA browser should not be switching to Done until clear access is available. I believe there are a few different destinations that can be checked in addition to captive.apple.com, but you have the right idea.

     

    Are you using the default initial role (guest-logon) or something custom? Can you include the output from "show rights <initial-role>" from the controller, for whatever your initial role is? Also, what version of AOS are you running?



  • 7.  RE: Apple CNA Issues

    Posted Aug 09, 2018 10:51 AM

    Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.

     

    Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 4
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 9/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = Open_Test

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         ra-guard              session
2         allow-clearpass-test  session
3         logon-control         session
4         captiveportal         session

ra-guard
--------
Priority  Source  Destination  Service          Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          icmpv6 rtr-adv                deny                             Low                                                           6
allow-clearpass-test
--------------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    clearpass-test  svc-https               permit                           Low                                                           4   
2         user    clearpass-test  svc-http                permit                           Low                                                           4   
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

    Current OS version is 6.4.4.16

     

    Thanks

     

    Dave



  • 8.  RE: Apple CNA Issues

    Posted Aug 22, 2018 07:31 PM

    I am getting the same issue and customer is not happy. I have Public CA signed certificates for both Clearpass and Instant AP's. Clearpass is verision 6.6.9 and Instant AP's are version 8. I don't think this make a differnce to the issue. Just letting you know.

     

    My issue also started two weeks ago. Do we know whether any other users expecing the same issue?

     

    Thanks

    Buddhi



  • 9.  RE: Apple CNA Issues

    EMPLOYEE
    Posted Aug 22, 2018 07:55 PM
    @dave1607 wrote:

    Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.

     

    Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 4
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 9/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = Open_Test

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         ra-guard              session
2         allow-clearpass-test  session
3         logon-control         session
4         captiveportal         session

ra-guard
--------
Priority  Source  Destination  Service          Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          icmpv6 rtr-adv                deny                             Low                                                           6
allow-clearpass-test
--------------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    clearpass-test  svc-https               permit                           Low                                                           4   
2         user    clearpass-test  svc-http                permit                           Low                                                           4   
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

    Current OS version is 6.4.4.16

     

    Thanks

     

    Dave

    You should do a packet capture for that client to see what the client could be doing:

    - Forget the WLAN from the client's wireless networks

    - Turn off the wireless nic of the client

    - Delete the client from the user table on the controller's cli (aaa user delete mac <mac address of client>)

    - Turn on packet capturing for that client:

     

    packet-capture reset-pcap
packet-capture destination local-filesystem
packet-capture datapath mac <mac address of client> decrypted

    -Enable the client's wireless nic and associate to the SSID.  Observe the behavior.

    - Take a look at the client's wireless traffic to see what traffic the client is sending:

    (aruba7640) #show packet-capture datapath-pcap 

18:49:26.970495 IP 192.168.1.1 > 224.0.0.1: igmp query v2
18:49:28.361216 IP 192.168.1.239.40859 > 172.217.9.138.443: Flags [P.], seq 3687845484:3687845515, ack 368191004, win 4329, options [nop,nop,TS val 19281407 ecr 3934040426], length 31
18:49:28.361281 IP 192.168.1.239.40859 > 172.217.9.138.443: Flags [F.], seq 31, ack 1, win 4329, options [nop,nop,TS val 19281414 ecr 3934040426], length 0
18:49:28.382341 IP 172.217.9.138.443 > 192.168.1.239.40859: Flags [R], seq 368191004, win 0, length 0
18:49:34.129610 IP 192.168.1.1 > 224.0.0.251: igmp query v2 [gaddr 224.0.0.251]
18:49:34.677221 IP 192.168.1.239.17553 > 8.8.8.8.53: 20054+ A? mobile.pipe.aria.microsoft.com. (48)
18:49:34.808386 IP 8.8.8.8.53 > 192.168.1.239.17553: 20054 5/0/0 CNAME prd.col.aria.mobile.skypedata.akadns.net., CNAME pipe.skype.com., CNAME pipe.prd.skypedata.akadns.net., CNAME pipe.cloudapp.aria.akadns.net., A 52.114.132.23 (199)
18:49:37.747091 ARP, Request who-has 192.168.1.239 (80:a5:89:33:69:75) tell 192.168.1.1, length 46
18:49:37.881564 ARP, Reply 192.168.1.239 is-at 80:a5:89:33:69:75, length 28

     



  • 10.  RE: Apple CNA Issues

    Posted Feb 11, 2019 05:32 PM
    Did you find anything on your capture. I plan om doing this soon. My CP Apple CNA saves the endpoint information but does not change the active role from the login role. Hope a packet capture shows something.