Wireless Access

Reply
Frequent Contributor II
Posts: 123
Registered: ‎03-04-2011

Apple Devices and Captive Portal

I've noticed that the captive portal no longer automatically pops up for our users when they connect to the guest SSID. It used to before but now it doesn't. If the user opens any browser on a Mac, they are forwarded to the Aruba captive portal. However, it doesn't automatically pop up when the user connects to the SSID like it used to. This is not a problem on Windows.

Regular Contributor I
Posts: 171
Registered: ‎04-13-2009

Re: Apple Devices and Captive Portal

i assume you are using ClearPass for guest?

 

Did you enable the captive portal assistant settings in CPPM? http://community.arubanetworks.com/t5/Validated-Reference-Design/Apple-Captive-Network-Assistant-Bypass-with-ClearPass-Guest/ta-p/155618

 

Also there Captive Portal assistant does a check to a specifc apple URL to check for internet connectivity. If it gets a redirect it knows it is behind a captive portal. Have you updated the pre-auth role ACL to allow any apple access? If the cleints can reach this page without any block or redirect, they will not know they are behind a captive portal.

-------------------
ACDX, ACCP, CISSP, CWNA
Frequent Contributor II
Posts: 123
Registered: ‎03-04-2011

Re: Apple Devices and Captive Portal

We are not using clearpass and we have not added any apple access to the pre-auth role

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Apple Devices and Captive Portal

Apple constantly changes the behavior. It's a losing battle.

To test, try forgetting the network then reconnecting. Do you get the CNA?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 123
Registered: ‎03-04-2011

Re: Apple Devices and Captive Portal

I don't think it's Apple. And that didn't work.

Frequent Contributor II
Posts: 123
Registered: ‎03-04-2011

Re: Apple Devices and Captive Portal

Working with TAC on this. After several hours, and spanning multiple days, we're still unable to get the Apple Captive Portal Assistant to pop up using Aruba OS 6.4.4.11.

 

The engineer believes there to be a bug in this OS version. I'll update the thread once we figure it out.

Frequent Contributor II
Posts: 123
Registered: ‎03-04-2011

Re: Apple Devices and Captive Portal

Well TAC couldn't figure it out but I'm halfway there. I noticed in the release notes for 6.4.4.10 that the default certificate included with Aruba OS 6.4.4.9 and below, has been revoked for security reasons. A public CA is now required for the Apple Captive Portal Assistant to work properly. It's crazy how TAC didn't know this right off the bat.

 

I uploaded our wildcard certficate and the Apple Captive Portal Assistant now pops up when connecting to our guest network. However, after logging-in, we're getting the error message, "A problem occurred. The webpage couldn't be loaded." I notice that the URL of the captiveportal page is now captiveportal-login.domain instead of securelogin.arubanetworks.domain, which maps to our controllers main IP. The guest network blocks all internal traffic by design.

 

Does anyone know the next step?

 

Revocation of ArubaOS Default Certificate Issued by GeoTrust

The controller-issued server certificate replaces the ArubaOS default certificate issued by GeoTrust Public CA for WebUI authentication, Captive Portal, 802.1X termination, and Single Sign-On (SSO) because the default certificate is now revoked.

For more information on the GeoTrust Public CA certificate revocation, refer to the advisory.

Using the controller-issued server certificate has the following caveats:

 When MacBook or iOS devices connect to Captive Portal, the CNA (Captive Network Assistant) popup does not appear. So, you must open a browser to get redirected to a Captive Portal page.
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Apple Devices and Captive Portal

[ Edited ]

The CNA works over http, so it should always have worked, really.

 

When you upload a wildcard certificate the redirection URL should be captiveportal-login.domain, so you should adjust accordingly.

 

That is all I am willing to say, because I am not aware of what dealings you had with support. 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 123
Registered: ‎03-04-2011

Re: Apple Devices and Captive Portal

[ Edited ]

Thanks cjoseph, what adjustments are needed? Support hasn't been great. This is 3 weeks since submitting the ticket and I had to find out for myself that a public CA is needed since 6.4.4.10.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Apple Devices and Captive Portal

Are you using a captive portal internal to the controller or external to the controller?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: