Airheads Community

View Only

last person joined: yesterday

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.

Back to discussions

Expand all | Collapse all

iOS Captive Portal Issues

This thread has been viewed 49 times

1. iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 05:23 AM

Reply Reply Privately
We are running a Physical Gateway Cluster to Aruba Central and Aruba Clearpass. We suddenly are having issues with iOS and Apple devices not being able to load the captive portal page, both via CPN and browsing directly to any site. The pop up just says "error loading page". This is impacting all apple devices. All other clients (Windows and Android) work fine. We have tried the following

insured that we are using a publicly signed SSL certificate.

verified that DNS and DHCP are functioning as expected

created a bridged captive portal SSID directly to Central, eliminating the controllers

Tried allowing everything in the login role
2. RE: iOS Captive Portal Issues

0 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 10:12 AM

Reply Reply Privately
Some screenshots would probably be helpful here.

Basically the same issue as described in https://community.arubanetworks.com/discussion/internal-captive-portal-does-not-load-on-apple-captive-network?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
3. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 10:34 AM

Reply Reply Privately
While the issue is similar to the other post, it is not quite the same. We cannot browse to another page and trigger the captive portal, so no apple devices can get on to our guest network at all. I can type the url in for the Captive Portal page and it will load, but the credentials are rejected due to way the Clearpass rules are set up.

Everything used to work fine when we had just the controllers and Clearpass. It wasn't until we set up Aruba Central and had our controllers tunneled into Central as Gateways that the issue started.

Original Message
4. RE: iOS Captive Portal Issues

0 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 10:21 AM

Reply Reply Privately
Did you set the captive portal certificate usage at the AP or at the gateway?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
5. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 10:41 AM

Reply Reply Privately
We set the certificate in three places:

Aruba Central > Devices > Gateways > Certificates

Aruba Central > Devices > Access Points > Security > Certificate Usage > Captive Portal

Both Clearpass Servers > Certificate Store > Server Certificates > HTTPS(RSA) Server Certificate

We also removed all the certificates and created new ones just in case something got corrupted.

Original Message
6. RE: iOS Captive Portal Issues

0 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 11:02 AM

Reply Reply Privately
No reason to have the certificate set at the gateway, the AP is doing the redirect and login. Set the captive portal certificate for the gateways back to default or aruba_default.

Just to validate, the certificate used on the AP is not the same certificate used on ClearPass, right?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
7. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 11:19 AM

Reply Reply Privately
I reset the certificates back to the default on the server

This is what the AP Certs look like:

We do have the same certificate on both the APs and Clearpass. It is a wildcard certificate.

Original Message
8. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 11:09 AM

Reply Reply Privately
If it helps, here are the rights for the login role:

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'WCR2-Guest_CP'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 67
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 127/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wcr2-guest_cp-sacl session
3 wcr2-guest_cp session
4 logon-control session
5 captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
apprf-wcr2-guest_cp-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
wcr2-guest_cp
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-https permit Low 4
2 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-http permit Low 4
3 any any svc-dhcp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-icmp permit Low 4
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
captiveportal
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0

Original Message
9. RE: iOS Captive Portal Issues

1 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 11:17 AM

Reply Reply Privately
There's the problem, you're attempting this from the Gateway.

AOS 10 you need to configure your captive portal network entirely from the AP side, using the WLAN wizard.

The AP does the authentication and redirect, not the Gateway.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
10. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 11:23 AM

Reply Reply Privately
Can you be more specific on where my problem is and what I need to fix? This was set up with the wizard.

Original Message
11. RE: iOS Captive Portal Issues

0 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 11:28 AM

Reply Reply Privately
Did you modify the user role on the gateway side?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
12. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 11:37 AM

Reply Reply Privately
The role has not been modified on the Gateway side.

Original Message
13. RE: iOS Captive Portal Issues

0 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 11:51 AM

Reply Reply Privately
As an example, here's the captive portal role on my gateway:

(GW-Guest-01) #show rights cp-aos10-guest

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'cp-aos10-guest'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 127/0
Openflow: Enabled
Global Role Tag: 800
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-cp-aos10-guest-sacl session
3 cp-aos10-guest session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
apprf-cp-aos10-guest-sacl
-------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
cp-aos10-guest
--------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 any cp-aos10-guest svc-https permit Low 4
2 any cp-aos10-guest svc-http permit Low 4
3 any any svc-dhcp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-icmp permit Low 4

If we look at yours there are additional ACLs applied to the role: logon-control and captiveportal, so the user role has definitely been modified through the gateway configuration.

With AOS 10 and looking at a user role on the gateway, when modifying a user role for a tunneled or mixed WLAN through the WLAN wizard, all of the ACL edits are contained within the ACL entry that is named the same as the user role.

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wcr2-guest_cp-sacl session
3 wcr2-guest_cp session <- talking about this ACL
4 logon-control session
5 captiveportal session

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-cp-aos10-guest-sacl session
3 cp-aos10-guest session <- or this one from my example

Notice the difference between the expected setup and what you've got?

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
14. RE: iOS Captive Portal Issues

0 Kudos
schrempa
Posted Feb 28, 2024 12:29 PM

Reply Reply Privately
Ok, so we got that changed, but the behavior has not changed. Here is the current rights role

show rights wcr2-Guest_Cp

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'WCR2-Guest_CP'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 59
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 127/0
Openflow: Enabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wcr2-guest_cp-sacl session
3 wcr2-guest_cp session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
apprf-wcr2-guest_cp-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
wcr2-guest_cp
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Denylist Mirror DisScan IPv4/6 Contract Mark Description
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- -------- ------ ------- ------ -------- ---- -----------
1 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-https permit Low 4
2 any wcr2-guest_cp_captiveportal.wrightcity.k12.mo.us svc-http permit Low 4
3 any any svc-dhcp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-icmp permit Low 4

Expired Policies (due to time constraints) = 0

Original Message
15. RE: iOS Captive Portal Issues

0 Kudos
EMPLOYEE

chulcher
Posted Feb 28, 2024 12:41 PM

Reply Reply Privately
Since there was a modification to the user role, there's no guarantee at this point that something else isn't wrong or problematic in the configuration.

Two recommendations at this point:

Delete the guest WLAN that you've configured, making sure to remove the captive portal profile from the AP configuration and anything extraneous that shows up on the gateway, then create the guest WLAN again from scratch.

Contact TAC and see if they can find the problem.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message