Wireless Access

 View Only
last person joined: 16 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Apple iOS devices not open Captive Portal Login Page automatically

This thread has been viewed 31 times
  • 1.  Apple iOS devices not open Captive Portal Login Page automatically

    Posted Jul 20, 2022 04:55 PM
    Hi Guys!

    We would like to implement a guest Captive Portal solution with UAP policy. (with internal custom login page)

    I made configurations based on User Guide, solutions works fine on Windows and Android devices (Login Page automatically opens or device alerts user to tap to open page). Apple devices can connect also, but no alert displayed to open Login Page. If a user opens a Safari browser and try to go to any webpage, it redirected to Login Page, but we need this to work automatically.

    I made a second guest WLAN with absolute same settings, but default template Captive Portal Login Page was used. If an Apple device connects to the second SSID, Aruba login page is opened automatically.

    Based on this experience, I suspect that there might be a problem with the html code of the custom page?


    Some outputs:

    (wlc01) [mynode] #show aaa authentication captive-portal aguest_cppm_prof
    Captive Portal Authentication Profile "aguest_cppm_prof"
    Parameter                                          Value
    ---------                                          -----
    Default Role                                       guest
    Default Guest Role                                 guest
    Server Group                                       default
    Redirect Pause                                     10 sec
    User Login                                         Disabled
    Guest Login                                        Disabled
    Logout popup window                                Disabled
    Use HTTP for authentication                        Disabled
    Logon wait minimum wait                            5 sec
    Logon wait maximum wait                            10 sec
    logon wait CPU utilization threshold               60 %
    Max Authentication failures                        0
    Show FQDN                                          Disabled
    Authentication Protocol                            PAP
    Login page                                         /upload/custom/aguest_cppm_prof/aguest.html
    Welcome page                                       /auth/welcome.html
    Show Welcome Page                                  No
    Add switch IP address in the redirection URL       Disabled
    Adding user vlan in redirection URL                Disabled
    Adding AP's MAC address in redirection URL         Disabled
    Add a controller interface in the redirection URL  N/A
    Allow only one active user session                 Disabled
    White List                                         N/A
    Black List                                         N/A
    Show the acceptable use policy page                Enabled
    User idle timeout                                  N/A
    Redirect URL                                       https://company.com
    Bypass Apple Captive Network Assistant             Disabled
    URL Hash Key                                       N/A
    (wlc01) [mynode] #

    (wlc01) [mynode] #show references aaa authentication captive-portal aguest_cppm_prof
    References to Captive Portal Authentication Profile "aguest_cppm_prof"
    Referrer                                           Count
    --------                                           -----
    /sc:user-role "aguest-guest-logon" captive-portal  1
    (wlc01) [mynode] #


  • 2.  RE: Apple iOS devices not open Captive Portal Login Page automatically

    Posted Jul 22, 2022 04:46 AM
    In my experience this may happen if you didn't put in a proper trusted HTTPS certificate for your captive portal.

    Apple appears to prevent the popup if the captive portal certificate is not trusted.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: Apple iOS devices not open Captive Portal Login Page automatically

    Posted 28 days ago

    I have recently been battling with iOS devices and Captive portal, and I would like to share my observations, findings.

    Herman is correct, it is an Apple iOS requirement, that the Captive portal must be HTTPS and a trusted Certificate.

    However, I too had an issue, where Android, and Computers would get the captive portal prompt, but not iOS.

    I had another captive portal working, and but this new captive just wouldn't work with iOS.
    I embedded the image into the HTML using base64. The image of the portal that worked, was initially resized to 400x400px.
    This new portal image I forgot to resize, and was an 1200x1200px PNG, making it around 700KB.
    I happened to have both the working and non-working HTML files in the same directory and noticed the difference in size.
    I resized and redeployed my HTML and now it works for iOS! I can find no documentation with Apple to explain this, but it is very reproducible.
    I discovered, quite by accident, that the size of the captive portal HTML has to be less than ~128KB or and iOS device will not detect/display the captive portal!

    An important fact about iOS WiFi handling of Captive Portal:
    When an iOS device initially connects to a WiFi and detects Captive Portal, the option Auto-Login is added when WiFi profile created.
    This option is what allows the iOS device to detect and display the Captive Portal, for login.

    Here is a problem I've discovered, regarding Auto-Login, and extended authenticated session times.
    I deployed a Public Guest WiFi with captive portal. In ClearPass I configured a Service-Enforcement Policy that to set the MAC Caching, and to track the Session ID, in the Endpoint Profile.
    The iOS devices connects, the Captive Portal is displayed, the user accepts the terms, then ClearPass sets the Role to allow Internet access, and all is good.

    My ClearPass Policy is designed to ensure the endpoint has Internet as long as the device maintains connection. Only unless the MAC cache expires, and the session ID changes, will a Captive Portal be displayed, to the endpoint.

    This is problem I'm running up against. If iOS is continuously connected, without a lapse in Internet access, for an extended period of time, the Auto-Login option is removed from the iOS WiFi profile.

    There is no way to get the Auto-Login option back except to forget and rejoin the WiFi with the captive portal.

    In testing, the only way I've been able to ensure the option doesn't disappear is to force a captive portal every 4 hours. I've not established exactly what the time frame is, or if there are other mitigating conditions.

    I've read many posts, in many forums, and the go to response to resolving the captive portal not displaying is: "Forget This Network."
    I would venture to guess that most of these connection problems are due to the Auto-Login disappearing.

    Another discovery, I updated the iOS while connected to, and authenticated to WiFi with a captive portal. The device rebooted, and when I looked at the iOS WiFi connection profile, Auto-Login had been removed. I assume because the WiFi session still had Internet Access.

    One more discovery, regarding iOS and captive portal.
    Apple looks for DHCP option 114, which I've setup, and that doesn't stop iOS from removing Auto-Login.
    I setup a packet capture using:

    packet-capture-defaults destination ip-address <dest-IP>
    packet-capture-defaults datapath mac <iOS_MAC_addr> decrypted

    I discovered that the iOS requests DNS resource records 'A' and 'HTTPS' for the captive port DNS name.
    I find the HTTPS RR request interesting, since it is still a IETF draft and Not yet an official RFC.

    From what I can tell, this has been a problem since the Apple implemented WiFi Auto-Join circa 2013.
    I'm not going to say Apple's captive portal handling is broke, but there is a serious flaw, when it comes to long term use.

    Hopefully my findings and musings will help others struggling with iOS and Captive Portal.

  • 4.  RE: Apple iOS devices not open Captive Portal Login Page automatically

    Posted 23 days ago
    We had captive.apple.com whitelisted for years to make captive portals work, then they suddenly stopped working last week, in troubleshooting we removed captive.apple.com from the whitelist and it started working again, thinking maybe they made a change to how iOS handles captive portals.