The title says 802.1X, your message describes captive portal login. What are you trying to do?
The Prevent CNA will prevent the automatic popup, which is needed if you want to use ClearPass Onboard to get your clients provisioned for 802.1X. With that option ticket you should not see the automatic popup, which looks to be the opposite of what you want.
For all devices to properly pop up for the captive portal, make sure you are using HTTPS based on a fqdn (not on IP), with public trusted certificates for all steps in the process (like controller/IAP and ClearPass will need to have a trusted certificate). If you see any certificate warnings or HTTP anywhere in the process, it's unlikely that the Apple devices will show the automatic popup.
If you want SSO against Azure AD to work (as the use has already authenticated for other applications), you should do that outside the CNA, in the same (Safari, Chrome, etc) browser that the user is logged into. If you combine 802.1X and Captive portal, I have seen some devices not triggering the popup when on an 802.1X network (just on open/PSK); so that may be happening here as well.
Is your question answered? If not, it may be good if you provide some more context and what you are doing.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Sent: Aug 14, 2022 09:46 PM
From: Alan Murray
Subject: 802.1x authentication to Azure AD
We are having issues providing a sensible workflow to a customer for Apple devices connecting to a byod SSID which authenticates against Azure AD. The captive portal does not appear upon connection and Apple users need to instigate a http GET message which is then interrupted and the portal allows them to login. We have been working with Aruba TAC but we still do not seem to be able to get the portal prompting automatically.
My question is - should we enable prevent CNA: on our Web Login form?
My instinct says yes but I have been advised I should not do so.
Is anyone able to give me a definitive answer?