Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Macbook pro unable to access Guest registration page

This thread has been viewed 0 times

  • 1.  Macbook pro unable to access Guest registration page

    Posted Jun 17, 2013 03:06 PM

     

    We are currently using ClearPass (6.1.1.52552) for our guest solution and recently we been having issues with Macbook Pro are unable to reach the guest registration page.

     

    Windows laptops, IOS and Android have no issues .

     

    We have seen this accross OSX 10.6.x , 10.7.x and the latest 10.8.x.

     

    We also the ACL under the role to allow http/https to *.apple.com but doesn't seem to work, but if allow everything the device is able to reach the internet with no issues.

     

    Tried Installing the certs manually.

     

    We have a 7210 controller running 6.2.1.2

     

    Any ideas ?


    #7210


  • 2.  RE: Macbook pro unable to access Guest registration page

    EMPLOYEE
    Posted Jun 17, 2013 03:27 PM

    You have to do "show datapath session table" and see what that macbook is doing.

     

    Do you also have DNS setup correctly on that controller?  Can you type "ping www.apple.com" at the commandline of the controller and it works?

     

    Optionally, if you are using ArubaOS 6.2 and above, you can use the "Bypass Apple Captive Network Assistant" option in the Captive Portal Authentication profile to do this, as well.

     



  • 3.  RE: Macbook pro unable to access Guest registration page
    Best Answer

    MVP EXPERT
    Posted Jun 17, 2013 03:41 PM
    Try turning off the OSCP check on the browser. You'll see in the datapath session it attempts to validate the certs before loading the captive portal.


  • 4.  RE: Macbook pro unable to access Guest registration page

    Posted Jun 18, 2013 09:56 AM
    I was able to get it going with turn ocsp off in the keyaccess but I would like to get it going without doing so I'm planning to try cjoseph option at some point today


  • 5.  RE: Macbook pro unable to access Guest registration page

    EMPLOYEE
    Posted Jun 18, 2013 10:01 AM

    You cannot allow *.apple.com to get around it.  You have to find out what the OCSP URL of your Web Certificate is and allow http and https to it for a permanent solution to this.

     



  • 6.  RE: Macbook pro unable to access Guest registration page

    Posted Jun 18, 2013 10:09 AM
    Will give that try too.

    A while back we added all the ocsp servers to be allowed but maybe it's trying to reach another one not on the list


  • 7.  RE: Macbook pro unable to access Guest registration page

    Posted Jun 17, 2013 04:04 PM 
    (beta-7200-controller) #show  datapath session table 10.10.10.14


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
10.10.10.14     172.16.10.205   17   64290 53     0/0     0 0   1   tunnel 631  12   0         0          FSCI
10.10.10.14     129.64.5.31     6    49913 443    0/0     0 0   1   tunnel 631  19   0         0          SC
172.16.10.205   10.10.10.14     1    2205  0      0/0     0 0   1   tunnel 631  10   0         0          FYI
10.10.10.14     172.16.10.205   17   60365 53     0/0     0 0   1   tunnel 631  6    0         0          FSCI
172.16.10.205   10.10.10.14     1    2206  0      0/0     0 0   1   tunnel 631  f    0         0          FYI
10.10.10.14     129.64.5.31     6    49914 443    0/0     0 0   1   tunnel 631  19   0         0          SC
172.16.10.205   10.10.10.14     1    2196  0      0/0     0 0   1   tunnel 631  1a   0         0          FYI
172.16.10.205   10.10.10.14     1    2207  0      0/0     0 0   0   tunnel 631  e    0         0          FYI
172.16.10.205   10.10.10.14     1    2197  0      0/0     0 0   1   tunnel 631  18   0         0          FYI
172.16.10.205   10.10.10.14     1    2201  0      0/0     0 0   1   tunnel 631  14   0         0          FYI


172.16.10.205   10.10.10.14     1    2200  0      0/0     0 0   1   tunnel 631  15   0         0          FYI
172.16.10.205   10.10.10.14     1    2203  0      0/0     0 0   1   tunnel 631  12   0         0          FYI
172.16.10.205   10.10.10.14     1    2202  0      0/0     0 0   1   tunnel 631  13   0         0          FYI
172.16.10.205   10.10.10.14     1    2216  0      0/0     0 0   0   tunnel 631  5    0         0          FYI
172.16.10.205   10.10.10.14     1    2210  0      0/0     0 0   0   tunnel 631  b    0         0          FYI
10.10.10.14     173.194.73.147  6    49912 443    0/0     0 0   1   tunnel 631  1d   0         0          NCI
172.16.10.205   10.10.10.14     1    2217  0      0/0     0 0   0   tunnel 631  4    0         0          FYI
172.16.10.205   10.10.10.14     1    2211  0      0/0     0 0   0   tunnel 631  a    0         0          FYI
172.16.10.205   10.10.10.14     1    2208  0      0/0     0 0   0   tunnel 631  d    0         0          FYI
172.16.10.205   10.10.10.14     1    2218  0      0/0     0 0   0   tunnel 631  3    0         0          FYI


172.16.10.205   10.10.10.14     1    2209  0      0/0     0 0   0   tunnel 631  c    0         0          FYI
172.16.10.205   10.10.10.14     1    2219  0      0/0     0 0   0   tunnel 631  2    0         0          FYI
172.16.10.205   10.10.10.14     1    2215  0      0/0     0 0   0   tunnel 631  6    0         0          FYI
10.10.10.14     173.194.73.147  6    49910 443    0/0     0 0   1   tunnel 631  1e   0         0          NCI
172.16.10.205   10.10.10.14     1    2220  0      0/0     0 0   0   tunnel 631  1    0         0          FYI
172.16.10.205   10.10.10.14     1    2214  0      0/0     0 0   0   tunnel 631  7    0         0          FYI
172.16.10.205   10.10.10.14     1    2213  0      0/0     0 0   0   tunnel 631  8    0         0          FYI
172.16.10.205   10.10.10.14     1    2212  0      0/0     0 0   0   tunnel 631  9    0         0          FYI
10.208.67.16    10.10.10.14     6    8081  49912  0/0     0 0   1   tunnel 631  1d   0         0          FSI
10.10.10.14     108.160.162.98  6    49915 80     0/0     0 0   0   tunnel 631  6    0         0          FNC


10.10.10.14     172.16.10.205   1    2212  2048   0/0     0 0   0   tunnel 631  9    0         0          FCI
10.208.67.16    10.10.10.14     6    8081  49910  0/0     0 0   1   tunnel 631  1e   0         0          FSI
10.10.10.14     172.16.10.205   1    2213  2048   0/0     0 0   0   tunnel 631  8    0         0          FCI
10.10.10.14     172.16.10.205   1    2220  2048   0/0     0 0   0   tunnel 631  1    1         84         FCI
10.10.10.14     172.16.10.205   1    2214  2048   0/0     0 0   0   tunnel 631  7    0         0          FCI
10.10.10.14     172.16.10.205   1    2215  2048   0/0     0 0   0   tunnel 631  6    0         0          FCI
10.10.10.14     172.16.10.205   1    2209  2048   0/0     0 0   1   tunnel 631  c    0         0          FCI
10.10.10.14     172.16.10.205   1    2219  2048   0/0     0 0   0   tunnel 631  2    1         84         FCI
10.10.10.14     172.16.10.205   1    2208  2048   0/0     0 0   1   tunnel 631  d    0         0          FCI
10.10.10.14     172.16.10.205   1    2218  2048   0/0     0 0   0   tunnel 631  3    0         0          FCI


10.10.10.14     172.16.10.205   1    2217  2048   0/0     0 0   0   tunnel 631  4    0         0          FCI
10.10.10.14     172.16.10.205   1    2211  2048   0/0     0 0   1   tunnel 631  a    0         0          FCI
10.10.10.14     172.16.10.205   1    2216  2048   0/0     0 0   0   tunnel 631  5    0         0          FCI
10.10.10.14     172.16.10.205   1    2210  2048   0/0     0 0   1   tunnel 631  b    0         0          FCI
10.10.10.14     172.16.10.205   1    2202  2048   0/0     0 0   1   tunnel 631  13   0         0          FCI
10.10.10.14     172.16.10.205   1    2203  2048   0/0     0 0   1   tunnel 631  12   0         0          FCI
10.10.10.14     172.16.10.205   1    2200  2048   0/0     0 0   1   tunnel 631  15   0         0          FCI
10.10.10.14     172.16.10.205   1    2201  2048   0/0     0 0   1   tunnel 631  14   0         0          FCI
10.10.10.14     172.16.10.205   1    2207  2048   0/0     0 0   1   tunnel 631  e    0         0          FCI
10.10.10.14     172.16.10.205   1    2197  2048   0/0     0 0   1   tunnel 631  18   0         0          FCI


10.10.10.14     172.16.10.205   1    2206  2048   0/0     0 0   1   tunnel 631  f    0         0          FCI
10.10.10.14     172.16.10.205   1    2196  2048   0/0     0 0   1   tunnel 631  1a   0         0          FCI
10.10.10.14     172.16.10.205   1    2205  2048   0/0     0 0   1   tunnel 631  10   0         0          FCI
10.208.67.16    10.10.10.14     6    8080  49915  0/0     0 0   1   tunnel 631  6    0         0          FS
10.10.10.14     172.16.10.205   17   62965 53     0/0     0 0   1   tunnel 631  12   0         0          FSCI

     

    cjoseph, 

     

    Unfortunately the controller can't do DNS lookup, but I have confirmed that any other devices are able to reach it with no issues.

     

    I will check on the Bypass option.

     

    zalion0,

     

    I wil try turning off the OCSP validation 

     

    Thanks guys for quick replies , will update once I have apply those.

     

    Vic