Wireless Access

Reply
New Contributor

Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

I have an IAP 115 running code version 6.5.2.0.

 

I have set up a captive portal for guest access.  I'm using the simple "Internal - Acknowledged" captive portal with all other options disabled (i.e. no proxy, MAC auth, blacklisting, DHCP enforcement or encryption)

 

On Windows and Android devices the captive portal is automatically displayed when the device connects to the SSID however on Apple devices, Apple's CNA is not triggered and the user has to manually launch a browser and attempt to browse to a website to get the captive portal page.  This is confusing for many users and causing them to think they have internet connectivity as soon as they connect to the guest SSID.

 

Is there a specific configuration setting in the GUI or CLI to get CNA working on Apple devices?

 

Thank you!

Guru Elite

Re: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

Are you allowing any domains/subnets/IPs in your preauthentication role?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

I don't have a wireless pre-authentication role configured.  Just the two default roles "default_wired_port_profile" and "wired-SetMeUp" roles are defined along with the guest SSID I created.

New Contributor

Re: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

Another point to note:

 

My understanding of how CNA works is that when an Apple device connects to a WLAN it tries to connect to captive.apple.com and if it is unable to connect and receive the "success" message then it believes it is behind a captive portal and the CNA page is displayed.

 

I have even tried to create an inbound firewall rule to block captive.apple.com (which resolves to 17.253.25.205) and deny http from that host to all destinations and CNA still is not triggered.

 

I am starting to think that the IAP is somehow spoofing the success page which is making the iOS device believe it is not behind a captive portal, hence CNA is not activated when joining the guest network.

 

Is this by design?  I cannot figure out why this will not work... all of the forums talk about options to enable/disable CNA bypass using ArubaOS or Clearpass but I do not see such an option on Instant!  Surely there is a way to fix this?

 

Please help.

 

Thanks!

Guru Elite

Re: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

No, IAP doesn't bypass captive portal connectivity checks. Please open a TAC case.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

TAC case was opened and issue has been resolved.  The fix was to install a public signed certificate for the captive portal.  CNA will not work on IAP with a self-signed certificate.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: