Wireless Access

Reply
Contributor I

Apple CNA Issues

Hi All

 

I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.

Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.

 

Dave

Aruba Employee

Re: Apple CNA Issues


@dave1607 wrote:

Hi All

 

I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.

Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.

 

Dave


It sounds as thought you're captive portal connection is being cached and so your client device is getting moved to the authenticated role automatically.


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Apple CNA Issues

I don't think it's being cached as when I do "show user-table" the client has the initial role, and the issue is still there after "aaa user delete mac <mac>".

 

Dave

Aruba Employee

Re: Apple CNA Issues

If the client is still in the initial role, then it doesn't sound as though captive portal authentication is working or I'm misunderstanding the process flow you're testing.

 

Yes, after deleting the user entry, the device should end up back in the initial role, so that behavior is consistent. What links are users trying to navigate prior to completing captive portal auth?


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Apple CNA Issues

Sorry, should have explained the process.

User associates and MAC auths against Clearpass, gets rejected so retains the Initial / captive portal role. They are redirected to the Clearpass captive portal which opens the Apple CNA. As soon as the CNA opens you see the "cancel" button change to "done" prior to the user doing anything. My understanding is that the button only changes once the device can access captive.apple.com, however the captive portal role does not allow any access to captive.apple.com, I've even tried adding an explicit deny for apple.com but this didn't make any difference.

 

Thanks

 

Dave

Aruba Employee

Re: Apple CNA Issues

Definitely strange. I agree, the CNA browser should not be switching to Done until clear access is available. I believe there are a few different destinations that can be checked in addition to captive.apple.com, but you have the right idea.

 

Are you using the default initial role (guest-logon) or something custom? Can you include the output from "show rights <initial-role>" from the controller, for whatever your initial role is? Also, what version of AOS are you running?


Charlie Clemmer
Aruba Customer Engineering
Contributor I

Re: Apple CNA Issues

Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.

 

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 4
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 9/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = Open_Test

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         ra-guard              session
2         allow-clearpass-test  session
3         logon-control         session
4         captiveportal         session

ra-guard
--------
Priority  Source  Destination  Service          Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          icmpv6 rtr-adv                deny                             Low                                                           6
allow-clearpass-test
--------------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    clearpass-test  svc-https               permit                           Low                                                           4   
2         user    clearpass-test  svc-http                permit                           Low                                                           4   
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

Current OS version is 6.4.4.16

 

Thanks

 

Dave

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: