Wireless Access

 View Only
last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

ClearPass Captive Portal and Social Login MFA with iOS Devices

This thread has been viewed 21 times
  • 1.  ClearPass Captive Portal and Social Login MFA with iOS Devices

    Posted Jun 25, 2020 07:33 PM

    Hi Airheads,

     

    We are currently using Clearpass Guess Self-Registration with Social Logins (Microsoft Azure AD) which is working fine however running into the following issue when it comes to MFA (Azure AD MFA during the Social Login process) using iOS devices (iPhone and iPads).

     

    Issue 1: Disable CNA Option

    - User connects to WiFi
    - Apples Captive Network Assistant brings up the Captive Portal (Clearpass)
    - User select Microsoft Azure AD social login
    - User enters credentials
    - User prompted for MFA Challenge (This is from AzureAD)
    - User switches to SMS App or Authenticator app to retrieve code - This action closes the Apple Captive Network Assistant and user cannot proceed as Apple CNA starts again and repeats the above loop without success

     

    Issue 2: Enable CNA Option

    - User Connects to WiFi
    - iPad/iPhone does not auto launch browser to captive portal
    - User tries to open Safari App, not redirected to captive portal
    - User can however type the URL to the ClearPass Guest Captive Portal and proceed successfully and authenticate using Microsoft Azure AD social login + MFA
    Note: If the user has Google Chrome App installed on iPad/iPhone they are redirected to our Clearpass Captive Portal automically (not sure if this is a Safari issue or Apple device limitation)

     

    Has anyone had any success in moving past this? I assume the same issues above would happen using say the social login for Facebook or gmail if the user had MFA enabled on their respective accounts?

     

    Any Assistance or advise would be greatly appreciated

     



  • 2.  RE: ClearPass Captive Portal and Social Login MFA with iOS Devices

    EMPLOYEE
    Posted Jun 26, 2020 01:07 AM

    Hi,

     

    Issue 1 is normal. This is how Apple devices work (the popup browser automatically closes once you go check the SMS) so if you really need to do MFA you have to go with option 2.

     

    Issue 2..These are possible things to test

    Once you open the browser, if you type any URL do you get redirected?

    If not, if you type any IP address like http://1.2.3.4, do you get redirected?

    Do you have a trusted certificate that is properly installed on ClearPass?

     

    Are you testing with Instant AP? There was someone else reporting such issue and they said it got solved with firmware upgrade https://community.arubanetworks.com/t5/Security/No-Captive-Portal-redirect-on-iPhones-only/m-p/658485#M100320

     

     



  • 3.  RE: ClearPass Captive Portal and Social Login MFA with iOS Devices

    Posted Jun 30, 2020 06:36 PM

    Hi Ayman

     

    Agree with Option 1. 

     

    In Option 2 the following happens when using the safari app;

    - types in google.com or any other website and nothing happens

    - If you type in an IP i.e 8.8.8.8 it redirects to our Captive Portal with no issue.

     

    In Option 2 if we use the Chrome App (instead of Safari) then when the user tries to go to any website it automatically directs to the captive portal (Expected behavior).

     

    I've confirmed that all the certificates are trusted in Clearpass. We aren't using IAPs in our instance however running a 7205 Controller (which also has a public certificate on it and not using the default Aruba one).

     

     



  • 4.  RE: ClearPass Captive Portal and Social Login MFA with iOS Devices

    EMPLOYEE
    Posted Jul 01, 2020 10:39 AM

    Hi,

     

    Based on the below, it looks like that while you are using Safari, the DNS requests are not being resolved and that's why you are not getting redirected. Did you try to clear the cache of Safari? Is it happening on all devices?

     

    "In Option 2 the following happens when using the safari app;

    - types in google.com or any other website and nothing happens

    - If you type in an IP i.e 8.8.8.8 it redirects to our Captive Portal with no issue"



  • 5.  RE: ClearPass Captive Portal and Social Login MFA with iOS Devices

    Posted Feb 23, 2024 11:55 AM

    Hi, Alex. Still without any solution?
    We follow with the implementation of MFA by policies and not per user, in the Azure, where it's possible apply restrictions that can make the application of the captive portal doesn´t require a MFA. 




  • 6.  RE: ClearPass Captive Portal and Social Login MFA with iOS Devices

    Posted 24 days ago

    A solution has snuck into the clearpass docs portal!

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00134332en_us