Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

iPhone captive popup for WPA Enterprise?

This thread has been viewed 50 times
  • 1.  iPhone captive popup for WPA Enterprise?

    Posted May 05, 2021 03:26 PM
    Hi there,

    I'm trying to get captive portal to popup automatically on iPhones, to show info about security problems etc to my users (an example is to popup info that they must disable mac randomization to access the network).
    While this does work perfectly for WPA PSK networks, I can't get it to work with WPA Enterprise.
    Everything being the same, I can see the role being applied, I'm also redirected on the browser (except when accessing most of common sites, due to HSTS etc), but it never pops up automatically.

    Scenario:
    - user connectes to a WPA PSK network
    - clearpass sends role info that has a captive portal
    - iphone pops up the browser with the site set on captive portal

    - now, user connects to a WPA Enterprise network
    - clearpass sends the same role; same controller, same network
    - iphone connectes and never pops up the browser
    - user opens safari and navigates to google.com => nothing (due to HSTS + https); user navigates to http://www.someunknownsite.com => captive redirect works .


    Any way to overcome this?

    As an alternative, how can I inform my users why they are prevented to access the network?

    Thanks

    ------------------------------
    Ricardo Duarte
    ------------------------------


  • 2.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 05, 2021 03:35 PM
    Can the default role for the WLAN reach http://captive.apple.com. If it can reach it, the automatic popup may not work.


    ------------------------------
    Dustin Burns

    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 05, 2021 03:37 PM
    No, it can't.

    Also, the same role applied to WPA PSK (everything being the same; controllers network ssid) triggers the CNA on the same iPhone.

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 4.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 06, 2021 02:26 PM
    This is not supported.

    And why would you be asking users to disable things that protect their privacy?

    ------------------------------
    Tim C
    ------------------------------



  • 5.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 06, 2021 04:10 PM
    Uhmm...

    Because ClearPass depends on mac address for multiple things (ex.: MDM integration). Just looking at "Endpoints" db queries on ClearPass makes it clear the product is "MAC Address centric", and depends on the real value to some of it's functions.
    I know, it sucks.
    If ClearPass was "smart" enough to parse and use my device UUIDs (that are already present on my certs) and use that as the key for the integrations I would happily keep my users privacy intact.

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 6.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 06, 2021 04:22 PM
    You should be using a certificate property as a context handle. A MAC address is not a persistent identifier.

    And even if you were using MDM, it should be disabled using the MDM as there is an existing consent and privacy framework as part of that process.. You should never be asking users to disable privacy protections. That is unacceptable.

    ------------------------------
    Tim C
    ------------------------------



  • 7.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 06, 2021 04:38 PM
    ClearPass does not support UUID for MDM integration and depends on MAC Address.
    And this forum is about ClearPass.

    So please preach that to Aruba, not to me.

    ------------------------------
    Ricardo Duarte
    ------------------------------



  • 8.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 06, 2021 04:44 PM
    So then you should configure MAC randomization via the MDM....

    Also, the endpoint database can be queried via any attribute.

    ------------------------------
    Tim C
    ------------------------------



  • 9.  RE: iPhone captive popup for WPA Enterprise?

    Posted May 06, 2021 05:02 PM
    Do you prefer "Antivirus" integration? Or "Inventory" Software integration?
    Just have a quick look at ClearPass extensions. Every single one depends on the real MAC address (Intune, SEP, Sophos, Cylance, Airwatch, JAMF, the list goes on).

    And it's not like this is a great privacy feature in an enterprise scenario. MAC address, while random, is always the same for the same network. Someone sniffing the air can still know a particular person is moving from place A to B each day etc (the same if they stay at the door and track who enters the building). Also, you say to use certificates instead. You know, any kind of authentication is a "privacy" concern. Someone can then go to "access tracker" and see the info about the user. And then map the "oh so private random MAC" into the user and the IP. So much for privacy... So, let us abolish authentication as well!

    My network, my rules. If they don't agree with the rules, they can decide not to connect. That's a "consent framework". Don't consent, don't connect. There are reasons why MAC Randomization is optional and can be disabled on all the platforms that adopted it. NAC and enterprise networks are probably some of them. 
    I will happily move to a privacy friendlier environment when the NAC industry keeps up with the new privacy oriented world. Until then, I have to deal with the technical shortcomings of those products to get work done.

    But all this MAC Randomization is beyond the point of this topic. 

    The topic is about "how to inform my users about the reason their network access was blocked" in a way that works seamlessly with WPA Enterprise.

    ------------------------------
    Ricardo Duarte
    ------------------------------