Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest (Iphone) registration issue in CaptvePortal

This thread has been viewed 11 times

  • 1.  Guest (Iphone) registration issue in CaptvePortal

    Posted May 30, 2020 10:04 AM

    Dear Airheads,

     

    One of our client required a proper workaround with IPhones. 

    The setup is that, one controller with 32 APs and clearpass for guest authentication.  Once the client connected with Guest SSID, the gust self landing page (captive portal) will popup automatically. once register with required details an SMS will be landed with OTP and Guests can login by using the OTP (as usual). The issue is that, once the OTP landed in the IOS Clients (IPhones), and the Guest open the sms tab to see the OTP, then the login page will be disappeared automatically. Then the guest need to re-register after disconnect and connect. Once I enabled the bypass the CNA in initial role for Guest, The popup in IPhones got stop and need to open the browser manually and type any website without "https". If type without "https", the page will be forwarded to guest registration page and guest can register properly. If type with "https", the page will be shown certificate validation error. For testing I removed the https forward poly in initial guest role. Then the certificate validation error gone, but not forwarding to Guest registration page. Is there any workaround to fix this issue?  

     



  • 2.  RE: Guest (Iphone) registration issue in CaptvePortal
    Best Answer

    EMPLOYEE
    Posted May 30, 2020 02:35 PM

    Dear Shamz,

     

    What you are experiencing is very normal as explained below..

     

    IPhone uses the mini popup browser once it detects a captive portal. This is not a full fledged browser and it automatically closes one the user goes to check the SMS or clicks outside. Usually, we recommend to remove the requirement for auto detecting the captive portal once you want to do SMS verification so a user will need to open the web browser to complete the authentication. You can as well build an advanced logic on ClearPass to temporarily grant access and then do the verification after some time once they receive the SMS. You however will need to grant them temporary access without validation...

     

    As for https issue, it is also normal. If the client device initially requests an https website (example https://www.google.com) then it is expecting the response to come back from Google. If on the controller, we are redirecting https traffic to ClearPass, then ClearPass will reply instead of Google and thus the client browser will notice that the certificate doesn't match the Google certificate and will display a warning for the user. This is the right behavior because we are intercepting the https session. To avoid this issue, you need to disable https interception (don't redirect it to ClearPass in the initial role) so the user will not get a certificate warning. The user will need to open an http website to get redirected to ClearPass Guest Portal.