Security

last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

No Captive Portal Assistant Window pop-up for Mac devices

  • 1.  No Captive Portal Assistant Window pop-up for Mac devices

    Posted Nov 07, 2019 11:11 AM

    Hello, 

     

    I have read through mutlipel threads regarding clients not recieving the captive portal pop-up when connecting to guest from an Apple device. We DO NOT have the CNA bypass enabled, I have opened tickets with support,  but no resolution. 

     

    I suspect it could be the fact that captive.apple.com is not being completely allowed by policy? Below are my captive portal rules, can someone confirm if these need adjusted? I will note that currently when you connect with an Apple device you have to use firefox/chrome and browse to google.com to be redircted properly.

     

    If you try to browse to "captive.apple.com" directly from any browser you get a "success" page. 

     

    Screen Shot 2019-11-07 at 11.07.34 AM.pngScreen Shot 2019-11-07 at 11.05.44 AM.png

    Thanks in advance!!

     



  • 2.  RE: No Captive Portal Assistant Window pop-up for Mac devices

    Posted Nov 11, 2019 03:26 AM

    If you see the Success message in the browser, that means that either:

    - captive.apple.com is allowed through the captive portal, likely through a whitelist

    or

    - some form of CNA bypass is enabled and spoofing the Success message to your device.

    or

    - there is another path from your client to captive.apple.com that is more preferred and doesn't have the redirect.

     

    For some reason, the request is not redirected and that results in the pop up not being shown.

     

    What you could do is to find the role that the user is in during this situation (show users on CLI, of client view in WebUI), then carefully check what is in the role (CLI: 'show rights mylogonrole' if the client is in a role named mylogonrole). In the controller CLI you could also do a 'show datapath session' to see if and how the client hits the datapath. If you don't feel comfortable to do this analysis, it may be good to involve your Aruba partner or Aruba support.