Hi Herman,
thanks for the reply. This is an SSID with Captive portal using a PSK. The first time a user connects with the PSK and tries to browse, it will redirect them to our Captive Portal page, ran on CPPM, and they will go through the registration process. Most of our "guests" are actually employees with personal devices so we do allow self-approval through email. Once approved, captive portal will allow the device to login on the network and from that point on, for a maximum duration of 1 year, that device will be allowed to be on the network whenever it is close to that SSID being broadcast. That portion has always worked well and still is today. The issue is relating to after that is done, typically if a user would go home for the day, come back to the office the next, their device would reconnect to that known SSID without any issues, but that is no longer the case for iOS devices. When looking in the list of WiFi networks, it will show the SSID under the "My Networks" section, as it is known, but it doesn't auto-connect like it used to. If I simply click on the SSID, it will then connect and work as intended, so it really is only around the auto-join functionality that we are having a problem.
The device, once registered, does hit our CPPM mac-caching service.
I also spent a good amount of time on the device itself, also reading about the Private address toggle which is what Apple implemented to apply randomized virtual MAC's to increase security. Whether that is on or off, auto-join on or off, whichever device specific option I could find online through some googling, didn't change the results.
I am not onsite today, but one thing I did do prior to leaving yesterday was to update my iPhone to the latest 15.6 code and thought I saw an improvement when I was turning WiFi on and off, it seemed to auto-join now. That was end of day and I had to leave,but I will be back onsite Tuesday with multiple colleagues and their devices, not currently running 15.6 and we will keep troubleshooting if there is a relation with the iOS code. As mentioned in my original post, the only other thing I changed yesterday was to apply a newly generated certificate and made sure it was packaged with the right order(pkey,cert,intermediate,root) as I noticed in certain instances, in PFX format using certain tools, the Intermediate and root would be out of order, which I know certain devices consider invalid.
I'll update this post on Tuesday if I am able to get more testing completed.
Thanks,
Ben
Original Message:
Sent: Jul 29, 2022 08:49 AM
From: Herman Robers
Subject: Apple iOS devices unable to auto-join Corporate Guest SSID
If I read correct, you have an SSID with a captive portal. What is the encryption on that SSID? Open? PSK? Other?
When you mention that IOS devices need to click to connect, is that to get connected to that SSID, like it doesn't auto-connect? Or is it that they need to click on the user acceptance policy in the captive portal?
Did you configure MAC Caching with ClearPass?
Few things on recent iOS versions. I'm not an expert on this, so not everything may be accurate, but may help you for the further investigations. Apparently IOS devices have a mechanism to provide 'optimal connectivity'. This results in that if you connect to an SSID which has a captive portal, or poor/limited connectivity, it may fallback to cellular data instead. It could be that your Wifi network is considered not good enough, and the device refuses to connect for that reason. Also, recent iOS versions implement MAC Randomization, and it may be that the phone rotates its WiFi MAC every x-amount of time. This may break MAC caching. And not all devices automatically reconnect to hotspot or open networks, especially not if the network does not provide good (like if there is a captive portal) internet access.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 28, 2022 01:36 PM
From: Benoit C�t�
Subject: Apple iOS devices unable to auto-join Corporate Guest SSID
Hi guys,
we have been dealing with this issue for multiple months at this point, but I finally have some cycles available to look into it. It is a bit hard to determine exactly when this started happening since a lot of our staff have been working from home for the last couple of years and just now slowly coming back in, but in essence, anyone with an iOS device who gets registered(through CCPM redirect) and is granted access has to manually click on the network to reconnect every time they get back into range of our guest SSID. This isn't an issue with Android or Windows based devices, only iOS.
I did a bunch of tests specific to Apple configurations on multiple devices with no change whatsoever. The area I am leaning on is regarding our Captive Portal certificate which maybe iOS devices are having a hard time with, but we have been using Entrust certificates for years without any problems. The reason I mention this is again, not knowing exactly when the issue started happening, the only change I can see that happened since January was regarding the certificate being replaced.
Even if everything looked normal and I was able to see the full chain and browsers said it was valid, I still went ahead and worked with our security team to generate a new one today and applied it to a single controller for testing.
We are running 8.6.0.9 and currently started testing 8.6.0.17. Configuration has clustered MM's with over a 100 MD's.
Has anyone else come across a similar issue with Apple devices specifically? If you need any config outputs or more information, please let me know as I am focused on this issue until it is resolved.
Thank you,