06-08-2016 10:03 AM
I just wanted to share a solution for the interoperability issue I found for IOS devices not getting to the captive portal page when your wireless environment consist of Aruba Controller and Checkpoint Firewalls running in Load Sharing Multicast Mode.
Please note, this setup works fine for Windows and Android.
It seems to only affect IOS devices and I have noticed sometimes it having a hickup on OS X.
At issue is when Checkpoint Firewalls are running in Load Sharing Multicast Mode and Aruba is trying to intercept the TCP/UDP connection that the IOS device is requesting in order to redirect the IOS device to the captive portal page. In Multicast Mode, the Checkpoint gateway uses a multicast mac address and this appears to cause problems when the Aruba Controller substitutes the return traffic with it's own response. This response is not getting to the IOS device and prevents it from getting to the Captive Portal page.
Workaround: Make Aruba Controller your DNS server.
How I came about this solution:
When doing a packet capture on the IOS Device I saw the Aruba Controller send a HTTP redirect response for the requested URL the IOS Device was making. The redirect points to the URL of the captive portal page. The IOS device then does a DNS request for the domain in the redirect URL but never gets an answer from the DNS server, leaving the IOS device hanging and never getting to the captive portal page. Aruba Controller rewriting the packet response from the DNS server here fails to reach the IOS device.
Making the change in DHCP, I changed the IP adddress of the DNS server to the IP address of the Aruba Controller. Before it was 220.127.116.11 (Google's). The logic behind the change was to not go through the default gateway (Checkpoint Firewall) for DNS lookup which it has to if it's 18.104.22.168 therefore not requiring the Aruba Controller to rewrite the packet response of the Checkpoint Firewall which uses a multicast mac address.
This fixed the problem for IOS Devices and does not appear to break anything for Windows and Android.
This problem sounds same/similar to what others have experienced with Cisco Wireless and Checkpoint Firewalls.