Since there was a modification to the user role, there's no guarantee at this point that something else isn't wrong or problematic in the configuration.
Original Message:
Sent: Feb 28, 2024 12:28 PM
From: schrempa
Subject: iOS Captive Portal Issues
Ok, so we got that changed, but the behavior has not changed. Here is the current rights role
show rights wcr2-Guest_Cp
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'WCR2-Guest_CP'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 59
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 127/0
Openflow: Enabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wcr2-guest_cp-sacl session
3 wcr2-guest_cp session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
apprf-wcr2-guest_cp-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
wcr2-guest_cp
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-https permit Low 4
2 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-http permit Low 4
3 any any svc-dhcp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-icmp permit Low 4
Expired Policies (due to time constraints) = 0
Original Message:
Sent: Feb 28, 2024 11:50 AM
From: chulcher
Subject: iOS Captive Portal Issues
As an example, here's the captive portal role on my gateway:
(GW-Guest-01) #show rights cp-aos10-guest
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'cp-aos10-guest'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 127/0
Openflow: Enabled
Global Role Tag: 800
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-cp-aos10-guest-sacl session
3 cp-aos10-guest session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
apprf-cp-aos10-guest-sacl
-------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
cp-aos10-guest
--------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 any cp-aos10-guest svc-https permit Low 4
2 any cp-aos10-guest svc-http permit Low 4
3 any any svc-dhcp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-icmp permit Low 4
If we look at yours there are additional ACLs applied to the role: logon-control and captiveportal, so the user role has definitely been modified through the gateway configuration.
With AOS 10 and looking at a user role on the gateway, when modifying a user role for a tunneled or mixed WLAN through the WLAN wizard, all of the ACL edits are contained within the ACL entry that is named the same as the user role.
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wcr2-guest_cp-sacl session
3 wcr2-guest_cp session
<- talking about this ACL
4 logon-control session
5 captiveportal session
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-cp-aos10-guest-sacl session
3 cp-aos10-guest session
<- or this one from my example
Notice the difference between the expected setup and what you've got?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Feb 28, 2024 11:36 AM
From: schrempa
Subject: iOS Captive Portal Issues
The role has not been modified on the Gateway side.
Original Message:
Sent: Feb 28, 2024 11:27 AM
From: chulcher
Subject: iOS Captive Portal Issues
Did you modify the user role on the gateway side?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Feb 28, 2024 11:23 AM
From: schrempa
Subject: iOS Captive Portal Issues
Can you be more specific on where my problem is and what I need to fix? This was set up with the wizard.
Original Message:
Sent: Feb 28, 2024 11:16 AM
From: chulcher
Subject: iOS Captive Portal Issues
There's the problem, you're attempting this from the Gateway.
AOS 10 you need to configure your captive portal network entirely from the AP side, using the WLAN wizard.
The AP does the authentication and redirect, not the Gateway.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Feb 28, 2024 11:08 AM
From: schrempa
Subject: iOS Captive Portal Issues
If it helps, here are the rights for the login role:
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'WCR2-Guest_CP'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 67
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 127/0
Openflow: Enabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wcr2-guest_cp-sacl session
3 wcr2-guest_cp session
4 logon-control session
5 captiveportal session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
apprf-wcr2-guest_cp-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
wcr2-guest_cp
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-https permit Low 4
2 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-http permit Low 4
3 any any svc-dhcp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-icmp permit Low 4
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
Expired Policies (due to time constraints) = 0
Original Message:
Sent: Feb 27, 2024 02:59 PM
From: schrempa
Subject: iOS Captive Portal Issues
We are running a Physical Gateway Cluster to Aruba Central and Aruba Clearpass. We suddenly are having issues with iOS and Apple devices not being able to load the captive portal page, both via CPN and browsing directly to any site. The pop up just says "error loading page". This is impacting all apple devices. All other clients (Windows and Android) work fine. We have tried the following
- insured that we are using a publicly signed SSL certificate.
- verified that DNS and DHCP are functioning as expected
- created a bridged captive portal SSID directly to Central, eliminating the controllers
- Tried allowing everything in the login role