How to Make Apple Captive Portal Pop up for Apple Devices?

last person joined: 23 hours ago

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).

Back to discussions

Expand all | Collapse all

How to Make Apple Captive Portal Pop up for Apple Devices?

This thread has been viewed 6 times

1. How to Make Apple Captive Portal Pop up for Apple Devices?

1 Kudos
Sheen_An
Posted Mar 10, 2016 12:17 AM

Reply Reply Privately
Hi, I am currently using Aruba Wireless Controller (7030) Aruba OS - 6.4.2.13 together with Clearpass 6.5.5.78974.

Can I check what settings do I need to set up on the wireless controller or clearpass in order for the apple captive portal to appear whenever an apple user connect to the SSID meant for Guest?

(i.e. i do not want to open the browser, but i want the portal to appear automatically without going through the portal)

Thank you so much!
Sheen An
2. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
EMPLOYEE

cjoseph
Posted Mar 10, 2016 05:20 AM

Reply Reply Privately
What is your initial role on the Aruba Controller? Can you give us the output of "show rights <role>"?

Also make sure that "Prevent CNA" is not enabled on the ClearPass Side: http://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Default.htm#Onboard/ConfigProvisioningWebLogin.htm?Highlight=prevent cna
3. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
EMPLOYEE

cjoseph
Posted Mar 10, 2016 05:20 AM

Reply Reply Privately
What is your initial role on the Aruba Controller? Can you give us the output of "show rights <role>"?

Also make sure that "Prevent CNA" is not enabled on the ClearPass Side: http://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Default.htm#Onboard/ConfigProvisioningWebLogin.htm?Highlight=prevent cna
4. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
Sheen_An
Posted Mar 10, 2016 05:52 AM

Reply Reply Privately
Hi cjoseph

THANK YOU for your response.

I think my initial role is “Guest”. Here’s the output:

(7030-Primary) #show rights guest

Derived Role = 'guest'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 4/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-guest-sacl session
3 ra-guard session
4 http-acl session
5 https-acl session
6 dhcp-acl session
7 icmp-acl session
8 dns-acl session
9 v6-http-acl session
10 v6-https-acl session
11 v6-dhcp-acl session
12 v6-icmp-acl session
13 v6-dns-acl session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-guest-sacl
----------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
ra-guard
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any icmpv6 rtr-adv deny Low 6
http-acl
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-http permit Low 4
https-acl
---------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-https permit Low 4
dhcp-acl
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-dhcp permit Low 4
icmp-acl
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-icmp permit Low 4
dns-acl
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-dns permit Low 4
v6-http-acl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-http permit Low 6
v6-https-acl
------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-https permit Low 6
v6-dhcp-acl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-v6-dhcp permit Low 6
v6-icmp-acl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-v6-icmp permit Low 6
v6-dns-acl
----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-dns permit Low 6

Expired Policies (due to time constraints) = 0

Sheen An
5. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
EMPLOYEE

cjoseph
Posted Mar 10, 2016 06:22 AM

Reply Reply Privately
I mean the role that your device gets before the captive portal. If guest is your initial role, that is why the captive portal is not coming up. The guest role is typically used for after a user is logged on. Your inital role should be "logon" or if you used the wlan wizard it is typically "logon-<something". Type "show rights" to see if here is a logon role. The initial role is typically set in the AAA profile.

If the user is associated, type "show user-table verbose" to see the AAA profile that you would need to change the initial role to "logon".
6. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
Sheen_An
Posted Mar 13, 2016 06:57 AM

Reply Reply Privately
Hello!!

Thank you so much, here's the show rights for the logon role.

Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 98/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-IM-Guest-Logon-sacl session
3 wlan-Guest-logon-control session
4 wlan-Guest-allow-external-captive-portal session
5 wlan-Guest-allow-google-play session
6 wlan-Guest-captiveportal session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-Guest-Logon-sacl
------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
wlan-Guest-logon-control
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 user any icmpv6 rtr-adv deny Low 6
3 any any svc-icmp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-dhcp permit Low 4
6 any any svc-natt permit Low 4
wlan-Guest-allow-external-captive-portal
---------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user wlan-Guest-allow-external-captive-portal svc-http permit Low 4
2 user wlan-Guest-allow-external-captive-portal svc-https permit Low 4
3 any 10.3.16.58 any permit Low 4
wlan-Guest-allow-google-play
---------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user wlan-Guest-allow-google-play svc-http permit Low 4
2 user wlan-Guest-allow-google-play svc-https permit Low 4
wlan-Guest-captiveportal
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4

Expired Policies (due to time constraints) = 0
7. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
EMPLOYEE

cjoseph
Posted Mar 13, 2016 08:50 AM

Reply Reply Privately
That is not the role.

Do this:

Associate a device to the captive portal. Type "show user" and find that user and the user's role. Type "show rights <user role>" and paste in that output..
8. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
Sheen_An
Posted Mar 13, 2016 09:37 AM

Reply Reply Privately
Hi,

I changed my initial role and now it worked.

Here's the rights:

(7030-Primary) #show rights wlan-Guest-logon
Derived Role = 'wlan-Guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 106/0
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Captive Portal profile = Guest-IM-CP-prof
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-wlan-Guest-logon-sacl session
3 wlan-Guest-logon-control session
4 wlan-Guest-allow-external-captive-portal session
5 wlan-Guest-allow-google-play session
6 wlan-Guest-captiveportal session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-wlan-Guest-logon-sacl
--------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
wlan-Guest-logon-control
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 user any icmpv6 rtr-adv deny Low 6
3 any any svc-icmp permit Low 4
4 any any svc-dns permit Low 4
5 any any svc-dhcp permit Low 4
6 any any svc-natt permit Low 4
wlan-Guest-allow-external-captive-portal
---------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user wlan-Guest-allow-external-captive-portal svc-http permit Low 4
2 user wlan-Guest-allow-external-captive-portal svc-https permit Low 4
3 any 10.3.16.58 any permit Low 4
wlan-Guest-allow-google-play
---------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user wlan-Guest-allow-google-play svc-http permit Low 4
2 user wlan-Guest-allow-google-play svc-https permit Low 4
wlan-Guest-captiveportal
-----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
Expired Policies (due to time constraints) = 0

Wow, do you know what caused it to work?
It is working now with the captive portal popping up.
9. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
Sheen_An
Posted Mar 15, 2016 06:06 AM

Reply Reply Privately
Hi,

Thanks for the response and it is now working.

But can i check what is the thing in the wlan-logon role that made it work?

So in the future we can troubleshoot as well.

(And btw, I realise that after authenticating with clearpass, sometimes it stucks at the page attempting to login - then it doesn't direct to the default welcome page - any idea the reason it stucks at the "logging in..." page and does not go to the welcome page?)

Thank you so much community.
10. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

0 Kudos
EMPLOYEE

cjoseph
Posted Mar 15, 2016 08:29 AM

Reply Reply Privately
We would have to know the difference between what it was and what it is now, to understand what the problem was.

Why it is getting stuck is a difficult one. You might have to open a case to get to the bottom of that.

Security

How to Make Apple Captive Portal Pop up for Apple Devices?

1. How to Make Apple Captive Portal Pop up for Apple Devices?

2. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

3. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

4. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

5. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

6. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

7. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

8. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

9. RE: How to Make Apple Captive Portal Pop up for Apple Devices?

10. RE: How to Make Apple Captive Portal Pop up for Apple Devices?