Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CaptivePortal works on mobile devices but not Windows and Mac

This thread has been viewed 28 times

  • 1.  CaptivePortal works on mobile devices but not Windows and Mac

    Posted Apr 09, 2019 03:27 AM

    Hi,

     

    I have a problem with my newly created CaptivePortal in Clearpass. On mobile phones (Android and iPhone) everything works well. They connect to ssid and Captive Portal pops up. But when a Windows or Mac OS connects, nothing happens, even if you open the browser and type in a url. However, if you enter url to CaptivePortal, you get to the login page.

     

    I do not see that the controllers send a redirect at DNS lookup.

     

    Someone who had this problem?



  • 2.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    EMPLOYEE
    Posted Apr 09, 2019 12:56 PM

    Two thoughts ... is it possible your windows/mac have statically defined DNS servers that aren't resolvable in the pre-logon role? Or, the DNS servers that they are using, does the ClearPass FQDN resolve correctly?

     

    I seldom see static DNS entries on mobile devices, but it is much more common on laptops. Start there to ensure that name resolution is working and web requests are being generated, and then go up to the user-role on the controller to verify that it's being destination natted to the captive portal page.



  • 3.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Apr 09, 2019 01:54 PM

    Thank you for your input

     

    Windows and mac client can look up the domain against DNS, no static dns is in use.

    The url that captive portal uses has an external ip that is located on a public dns and SNAT in to the captive portal server, which is clearpass in this case. 

    If I enter url manually in a web browser on a windows or mac it loads the captive portal login page so it's the redirect that doesent work.



  • 4.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    EMPLOYEE
    Posted Apr 09, 2019 02:18 PM

    What is the wireless infrastructure?

     

    If DNS resolution is working and the client can resolve both external resources as well as the hostname for your ClearPass appliance, the next step would be inspecting the datapath on the wireless gear to determine whether the web traffic is getting caught and redirected to the captive portal or not. 

     

    Is there a valid SSL certificate installed on your ClearPass appliance and wireless gear? It could also be one or both failing the SSL check by the laptop device and thus no automatic redirect. Do you see a certificate error when navigating to the captive portal directly?



  • 5.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Apr 09, 2019 02:47 PM

    The wireless network is all Aruba. AP-315 access point, clustered 7030 controllers managed by mobile master.

     

    The radius for the guest network goes from the subnet the controller is on to atheserver subnet that Clearpass is in.

    Captive portal login page goes to the same Clearpass server but goes from controller out on the internet interface and turning in again through SNAT. The reason for this is that I do not want to use internal DNS on the guest network and not publish any internal IPs on our public domain.

    All certificates are trusted and purchased by the public CA. both on controls and captive portal.


    It works perfekt on all mobile devices  and there are no certificate warnings.



  • 6.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    EMPLOYEE
    Posted Apr 09, 2019 02:59 PM

    What is different between mobile and laptop users? Does ClearPass profile and return a different role based on the device type/OS?

     

    If DNS resolution is working and the client can resolve both external resources as well as the hostname for your ClearPass appliance, the next step would be inspecting the datapath on the wireless gear to determine whether the web traffic is getting caught and redirected to the captive portal or not. A packet capture from the affected device(s) will also show whether the web traffic is sourced, and how it is being handled (ie whether it's redirected or not).



  • 7.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Apr 16, 2019 05:03 AM

    Hi

     

    Sorry for this late reply.
    It turns out that some problems seem to depend on the client's firewall and how they identify a CaptivePortal.
    I have got Windows 10 working but still have some issues with some versions of Mac OS.
    Will return with a message if I solved them with.

     



  • 8.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Apr 23, 2019 09:06 AM

    Hi again

     

    I cant  get this to work fully on all computers. It still works well on all mobile devices though.

     

    At a packetcapture, it does not seem like the wireless controller redirect http packet from client that hasent authenticated. These tcp-syn packages never get any response.

     

    I attach a screenshot to what it looks like. This is a Windows 10 that try to identify CaptivePortal, get DNS respons and try to setup tcp session over http but gets no respons from controller.

     

    I have tested setting up the captive portal directly on the wireless controller instead of clearpass but with the same result.

     

    Someone who can guide me in the next step?

     



  • 9.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Aug 01, 2019 11:52 AM

    I'm having this exact problem right now with one of five virtual controllers. Scratching my head that mobile devices work fine, but windows devices do not. Have disabled/cleared firewalls on the client just to test with no result. I have, for all I can tell, identical setups on five other networks that do not display this behavior which might seem like a clue, but so far no result.

     

    Did this ever get resolved for the orginal poster?



  • 10.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Jul 05, 2022 01:13 PM
    I have the exact issue.  Is there any resolution to this?
    Original Message


  • 11.  RE: CaptivePortal works on mobile devices but not Windows and Mac

    Posted Jul 06, 2022 12:02 PM
    I have something similar but not quite the same.

    I have three different clusters.  All look to be configured the same.  On one of them, some users are not getting redirected, but there seems to be no rhyme or reason.

    I could log in to Windows 10 but a co-worker could not (both managed machines)
    He could log in with Android.  I could if using phone mac but not if using randomized MAC.
    Original Message