ArubaOS and Controllers

New Contributor

Ipad and Captive Portal Problem

We have a guest SSID that the students use here on campus. On this SSID it is using Captive Portal. Computers have no problem accessing but Ipad's do. Here is the scenario. On the Ipad, you connect to the wifi get an IP address fine and the captive portal page opens fine. The student then puts an email address (the only thing required and does not have to be a real one) and clicks I agree. If you look in the user table on the controller, you can see that the Ipad is authenticated and in the guest role. The only thing is when you open up safari on the ipad you are unable to browse the internet. Also in the upper left hand corner you do not see the wifi symbol next to where it says Ipad. You are able to ping the address that the Ipad has from a computer. The only way to get it to work is to turn wifi off and back on again and as soon as you do this, you see the wifi symbol in the upper left. Has anybody else seen this or know of a fix?
Aruba Employee

Re: Ipad and Captive Portal Problem

I have seen similar issues with IE9 and some Apple devices. Support identified this as being a bug. This is specifically using the registration option or prompting the user with an agreement only.

May want to look at upgrading your firmware. The fix that I experienced at a customer site was included in

Occasional Contributor II

Re: Ipad and Captive Portal Problem

I am still having no luck with the iPad2. TAC had me upgrade to (was on - but I still am seeing the exact same problems. You connect to our Guest network and the CP pops up. More than half of the time when you click "Accept" the portal page doesn't close - it goes to an Apple webpage and the only Safari option available is to "Close". The wireless icon on the iPad2 then disappears. The only workaround is to toggle the wireless adapter on and then off in Settings/Network.

I turned on user-debug and every log entry looks the same when it works and when it doesn't.
Occasional Contributor I

Re: Ipad and Captive Portal Problem

We've been facing the same problem with ipad2 and captive portal. Customers refused to use psk or dot1x.And current OS is ver5 for controller 620. Should i upgrade ver 6?

Any advice for ipad with Captive Portal.

Occasional Contributor II

iOS, Captive Portal and Auto Login?

I've got some of my information 2nd and 3rd-hand, but I believe this
might be related to the auto login feature on the iOS devices. Something
about the user failing to cache "login" information during that initial
login screen, then the device disconnecting from the SSID instead of
staying connected to allow the user to re-attempt login via Safari
(or any other iOS browser).

This login "mode" apparently can be disabled using DNS trickery (polluting
your /etc/hosts file, hijacking in your DNS server's info, etc. -
there's some notes at
but as the CP is already doing it's own redirection once the user has attempted TCP
connections ... I think this should be do-able completely within the CP framework (maybe).

If the iOS device is trying to get a "success" result when it goes to ... it's simple
enough to add a "success.html" file to the CP files and return that. I'm not
sure how to do the filesystem trickery with the CP files, though. If I had
control/access of this directory normally, I'd either create those directories
or create loopback symlinks so that both ./library and ./test pointed to the
local directory.

Is it possible to construct a custom redirection rule within a CP configuration?
Or will the CP pop off all references to directories and simply return the
"success.html" file as though it were placed within "/library/test/" ??

This *might* correct this disconnect behavior that seems to be showing up
in the iOS platform.
Occasional Contributor II


Ok, so I guess you're not really supposed to reply to yourself, but the
tricks that I would normally do within the filesystem could *possibly*
be done using a CGI written as the login page?

I'm not really sure what happens when you try to access a page that
doesn't exist in a directory that also doesn't exist, but the login page
would be where you're redirected in almost all pre-login cases. A bit
of CGI scripting there could check the requested URL and return the
contents of the success.html file when it's warranted.

Unfortunately, I've never had a need to write a CGI within the captive
portal framework and I'm not even sure if this method is possible either.

Guru Elite

Re: Ipad and Captive Portal Problem

Thanks for the information abrennan.

If you are currently using ArubaOS 6.1 and above, you can try the following:

config t
netdestination <----In ArubaOS 6.1 you can create an alias that points to a www
ip access-list session apple-cp <---- We can then create an ACL to permit all traffic to
user alias svc-http permit
ip name-server <------- Configure a DNS server or two that the controller will use to resolve www addresses
ip name-server
ip domain lookup <------- Turn on DNS resolution
ip domain-name <------------ Set a domain for your controller (this can be anything, frankly)
user-role guest-logon <----------- Add the newly created access list to your captive portal initial role in position 1.
ip access-list session apple-cp position 1 <-----This will allow all http traffic to so that frame will not come up.

There is a "show firewall dns-names" command that will show what dns names resolve to that will be added in ArubaOS 6.2:

(host) # show firewall dns-names 

FW DNS names
Name Id InUse List
---- -- ----- ---- 1 1 2 1 74.6.1 3 1

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: Ipad and Captive Portal Problem

Sadly, I'm still running, so I won't be able to do that exactly ...
but we're using the same sort of approach to allow that traffic through
(and manually updating the netdestination list). I had been hoping to
exploit the redirection capabilities to:

not pass needless traffic and
not pass unwanted traffic (since Akamai hosts a LOT of content
these days).

My last "trick" method is one that I'm not really willing to try given that
my student population returns tomorrow ... but I had t...

Occasional Contributor II

Re: Ipad and Captive Portal Problem

I can confirm this works for iPad2 - putting in exception on the guest logon role. The iPad2 now shows the wireless icon pre-CP authentication. It no longer launches the "crippled" Safari browser to display the CP. Now when you launch Safari the Aruba CP is displayed inline, with no windows opening and closing.

One caveat I have discovered is that this now breaks the functionality of an app that requires network connectivity automatically launching the CP and then closing it after authentication. i.e. If I launch Flipboard with this workaround in place, it presents a connection error (when I am still in the guest logon role). Before, when the CP randomly works and randomly doesn't, the "crippled" browser displaying the CP would pop-up.

I assume this is because with the workound the iPad2 can now reach and doesn't think you need to popup a CP. Essentially - it's one problem solved and a new one created :)
Guru Elite

Re: Ipad and Captive Portal Problem


Does flipboard work AFTER you login, or no?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: