Wireless Access

 View Only
last person joined: 14 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Apple iOS devices unable to auto-join Corporate Guest SSID

This thread has been viewed 12 times
  • 1.  Apple iOS devices unable to auto-join Corporate Guest SSID

    Posted 19 days ago
    Hi guys,

    we have been dealing with this issue for multiple months at this point, but I finally have some cycles available to look into it. It is a bit hard to determine exactly when this started happening since a lot of our staff have been working from home for the last couple of years and just now slowly coming back in, but in essence, anyone with an iOS device who gets registered(through CCPM redirect) and is granted access has to manually click on the network to reconnect every time they get back into range of our guest SSID. This isn't an issue with Android or Windows based devices, only iOS.

    I did a bunch of tests specific to Apple configurations on multiple devices with no change whatsoever. The area I am leaning on is regarding our Captive Portal certificate which maybe iOS devices are having a hard time with, but we have been using Entrust certificates for years without any problems. The reason I mention this is again, not knowing exactly when the issue started happening, the only change I can see that happened since January was regarding the certificate being replaced. 

    Even if everything looked normal and I was able to see the full chain and browsers said it was valid, I still went ahead and worked with our security team to generate a new one today and applied it to a single controller for testing. 

    We are running 8.6.0.9 and currently started testing 8.6.0.17. Configuration has clustered MM's with over a 100 MD's. 

    Has anyone else come across a similar issue with Apple devices specifically? If you need any config outputs or more information, please let me know as I am focused on this issue until it is resolved.

    Thank you,


  • 2.  RE: Apple iOS devices unable to auto-join Corporate Guest SSID

    EMPLOYEE
    Posted 18 days ago
    If I read correct, you have an SSID with a captive portal. What is the encryption on that SSID? Open? PSK? Other?

    When you mention that IOS devices need to click to connect, is that to get connected to that SSID, like it doesn't auto-connect? Or is it that they need to click on the user acceptance policy in the captive portal?

    Did you configure MAC Caching with ClearPass?

    Few things on recent iOS versions. I'm not an expert on this, so not everything may be accurate, but may help you for the further investigations. Apparently IOS devices have a mechanism to provide 'optimal connectivity'. This results in that if you connect to an SSID which has a captive portal, or poor/limited connectivity, it may fallback to cellular data instead. It could be that your Wifi network is considered not good enough, and the device refuses to connect for that reason. Also, recent iOS versions implement MAC Randomization, and it may be that the phone rotates its WiFi MAC every x-amount of time. This may break MAC caching. And not all devices automatically reconnect to hotspot or open networks, especially not if the network does not provide good (like if there is a captive portal) internet access.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Apple iOS devices unable to auto-join Corporate Guest SSID

    Posted 18 days ago
    Hi Herman,

    thanks for the reply. This is an SSID with Captive portal using a PSK. The first time a user connects with the PSK and tries to browse, it will redirect them to our Captive Portal page, ran on CPPM, and they will go through the registration process. Most of our "guests" are actually employees with personal devices so we do allow self-approval through email. Once approved, captive portal will allow the device to login on the network and from that point on, for a maximum duration of 1 year, that device will be allowed to be on the network whenever it is close to that SSID being broadcast. That portion has always worked well and still is today. The issue is relating to after that is done, typically if a user would go home for the day, come back to the office the next, their device would reconnect to that known SSID without any issues, but that is no longer the case for iOS devices. When looking in the list of WiFi networks, it will show the SSID under the "My Networks" section, as it is known, but it doesn't auto-connect like it used to. If I simply click on the SSID, it will then connect and work as intended, so it really is only around the auto-join functionality that we are having a problem.

    The device, once registered, does hit our CPPM mac-caching service.

    I also spent a good amount of time on the device itself, also reading about the Private address toggle which is what Apple implemented to apply randomized virtual MAC's to increase security. Whether that is on or off, auto-join on or off, whichever device specific option I could find online through some googling, didn't change the results.

    I am not onsite today, but one thing I did do prior to leaving yesterday was to update my iPhone to the latest 15.6 code and thought I saw an improvement when I was turning WiFi on and off, it seemed to auto-join now. That was end of day and I had to leave,but I will be back onsite Tuesday with multiple colleagues and their devices, not currently running 15.6 and we will keep troubleshooting if there is a relation with the iOS code. As mentioned in my original post, the only other thing I changed yesterday was to apply a newly generated certificate and made sure it was packaged with the right order(pkey,cert,intermediate,root) as I noticed in certain instances, in PFX format using certain tools, the Intermediate and root would be out of order, which I know certain devices consider invalid.

    I'll update this post on Tuesday if I am able to get more testing completed.

    Thanks,

    Ben


  • 4.  RE: Apple iOS devices unable to auto-join Corporate Guest SSID

    EMPLOYEE
    Posted 18 days ago
    If MAC caching is properly deployed, which seems the case if the end-user just needs to hit the network and it will connect (and bypass the captive portal), I think you can ignore the certificate if this is a PSK network.

    Does the network show different in the phone, like disabled, authentication failure, different color? Is there any indication that it is different from the SSID at home?

    With PSK, I would expect the phone to automatically connect; just like at home.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Apple iOS devices unable to auto-join Corporate Guest SSID

    EMPLOYEE
    Posted 18 days ago
    You are likely correct that it is a certificate issue.  If an IoS or Mac device can't validate the certificate it will simply not pop the captive portal mini-browser.

    Apple changed the requirements for certs starting in IoS 13 and Mac OS 10.15.  See the link here for more information and ensure your captive portal cert meets those requirements. 

    https://support.apple.com/en-us/HT210176