Higher Education

Looks like they changed the behavior of the captive network assistant check. If you have captive network assistant bypass turned on, you'll likely need to update your netdests.

There are two new destinations that it checks for:

www.appleiphonecell.com

captive.apple.com

Tim,

I already have my certificate authority whitelisted to allow OCSP. What are the symptoms for the users if these destinations aren't whitelisted? Does Apple require additional destinations (in addition to the two you specified)?

Thanks,

Brad

Brad,

This isn't a certificate issue. It has to do with the captive network assistant and "faking" it out to think its connected while still being able to redirect to Onboard and other initial captive portals.

If you are running ClearPass, they've issued an iOS 7 Captive Network Assistant fix; I first noticed it after applying Patch 1 to 6.2 if you are using the .../landing.php/... page method.

And we are also adding this same logic to Instant and AOS on the controllers.  Apple's CNA is more "complex" and whitelisting a few specific URLs will no longer be sufficient.  They are rotating a few more URLs out there to figure this out.  However, our solutions will keep Guest registrations working.

If whitelisting the URLs is not the best method any more, what is appropriate?  I am using the landing page trick, but my iOS 7 devices are still hitting the CNA, even with the iOS7 CP patch.  I would assume the landing page method only works if the device is attempting to access apple.com?  So what am I missing?

There is also an option in the captive portal profile:

What version is required for this?  I heard it was in 6.2 but I don't have it as an option.  I'm on 6.2.1.3.

Thanks for the info.

Anyone aware of the complete list of Apple FQDNs that iOS7 is attempting to hit?  I heard there are up to 5.

i found this list online:

captive.apple.com
ibook.info
appleiphonecell.com
airport.us
thinkdifferent.us
itools.info

such a shame apple doesnt just publish it, why doing this and not informing your users. also equally silly you cant just disable CNA.

apperently they also use a certain user agent string to identify these requests. i hope aruba doesn't just allow request from that user agent to go through because then there is a nice way through your captive portal.

also: why post this in the education forum, it is something that affects everyone in my opinion.

Thanks Boneyard.  TAC just the same list of FQDNs, but of course, they said they're subject to change.  Bad move on Apple's part - I agree.

---

@boneyard wrote:

i found this list online:

captive.apple.com
ibook.info
appleiphonecell.com
airport.us
thinkdifferent.us
itools.info

---

Is allowing port 80 to  these destinations sufficient or do more holes need to ne

Tim,

What does the user experience if the captive network assistant (I'm assuming this is a component of the Apple device) is not faked out to think it's connected?

Thanks,

Brad