Wireless Access

Hello!

I am working currently with an aruba 7030 controller (AOS  6.5.2.0) and a custom internal captive portal page.

All sorts of clients except iOS devices open the CP page automatically after association.
I read a mass of topics but found no solution jet.

We have no pefng license.
The controller plays dhcp server, default gateway and dns server is a other device.

I've enabled the Apple Captive Network Assistant bypass, as suggested in this article:

http://community.arubanetworks.com/t5/Wireless-Access/Automaticly-open-captive-portal-after-joining-unsecured-wifi/m-p/283980

But this has no affect in my case.

DNS lookups are possible in the initial role, i've tested this with nslookup.

Initial role befor login:

#show rights Gast-cp_prof

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'Gast-cp_prof'
 Up BW:No Limit Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 2
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 69/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = Gast-cp_prof

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Gast-cp_prof session

Gast-cp_prof
------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user controller6 svc-http captive Low 6
2 user controller svc-http dst-nat 8080 Low 4
3 user any svc-https captive Low 6
4 user any svc-http captive Low 6
5 any any svc-v6-icmp permit Low 6
6 any any svc-v6-dns permit Low 6
7 any any svc-v6-dhcp permit Low 6
8 user any svc-http dst-nat 8080 Low 4
9 user any svc-https dst-nat 8081 Low 4
10 any any svc-dns permit Low 4
11 any any svc-dhcp permit Low 4

Expired Policies (due to time constraints) = 0

CP profile settings:

I'm grateful for any recommendation.

Thank you!

You have a custom page.  Try it with the default captive portal page on the controller.

Hi!

I changed captive portal back to the aruba default.
No effect, on ios the cp page don't pop up automatically.

Bypass Apple Captive Networ Assistant is disabled.
DNS lookups are successful, http://captive.apple.com/hotspot-detect.html and http://www.apple.com/library/test/success.html are not reachable in the initial role.

Do you have another idea?

Thank you for help!

Update:

Now i changed the L3 Authentication captive portal custom profile to "Use HTTP for authentication" AND the default site.
Now CNA pops up.

Now i think the error lies in the HTML code from the custom CP page.
Do you know for what i should look for?

Thanks for help!

Update:

With the exlusion procedure i minimized the CSS code of my html page until the CNA pops up.
I am able to confirm this article now, start with the basics if you want to create a custom captive portal!

I used this guide for my customizations and i must say, you hav to clean out everything of the css codes that is not needed.
Something in the css blocked the CNA. I was not able to find the responsible line, because of time (about 6000 lines in the template).

Now the CP pops up automatically on iOS :)

Hi Matthias good spot on the CSS blocking, funny enough I wrote that blog post you linked to about the responsive Captive Portal (!)

Seems Apple have got more fussy with what they'll accept on the CNA page. I tried removing elements from the Boostrap template I was using but no joy.

Instead I've changed over to a simpler framework http://getskeleton.com/ and styled that up to be similar to the old one I wrote about. Pleased to say it works fine now with Apple CNA :)

Will do another blog post on it soon but thanks for posting your solution and giving me a heads-up on what to look for.

For reference it also seems like embedded Fonts and Javascript (e.g. for page scrolling, error handling etc.) aren't allowed by the Apple CNA so had to remove those as well. Android and Windows work fine though.

Regards, 

Gerrard

Hi!

Skeleton looks interesting, I like thin codes :) ...
Maybe I try it next time, if I have the requirement.

Yeah, at the end I was sitting a couple of hours with deleting function for function, line for line, checking the impact to the display and if CNA pops up....

Frustrating....

In addition, we have no PEFNG license and no certificate.
So, I was not able to customize the ACL's and Roles.
And I was not sure if CNA had problems with the certificate warning...

Everything together is an annoying thing!

I'm looking forward to your further posts!

I read in another thread that iOS requires the Captive Portal to have an externally Trusted SSL certificate so we purchased one of those as part of the troubleshooting steps. 

Now I've got it working I don't want to turn anything off so can't be 100% sure if the cert helps or not (!)

In this case, i changed the captive portal to HTTP.
That works for sure.

I think i tried HTTPS without certificate also.
If I remember right CNA was popping up but with a certificate warning...
The next thing is, you can only define the CP URL with the certificate FQDN...

Embedded fonts and basic scripts should work fine in CNA. It's likely more of a whitelist issue or not having a public CA-signed certificate.

Hello!

In my case it was definitly the CSS Code.
As I wrote earlier, I was not able to find out exactly what function because of the mass of lines (no basic code ;) ).
But with deleting block for block, i come to the point it pops up.

Before i had the problem that CNA was not popping up regardless if CP was on HTTP or HTTPS (with or without public certificate).

And I'm quite sure that CNA pops up without public certificate, but shows the certificate warning.

CNA does not work with an untrusted certificate.

Are you sure that all external references to CSS were whitelisted in the controller?

As far as I can tell there aren't any external references in the page code. At the time I copied any locally referenced content into the page itself and downloaded any external code and did the same.

The only thing I can spot looking back through is a reference to a relative path font file that isn't present but during troubleshooting I'm pretty sure I removed those lines.

Should and do seem to be two separate things unfortunately and only on Apple iOS \ macOS (no surprises there!) The only difference was the page content. The Boostrap page had a lot more content in it such as JS scripts for scrolling sections, some custom code we wrote to handle error messages etc.

Removing all that and going to Skeleton, which only has basic CSS code handling the responsive design sorted the issue instantly.

The page shouldn't have been attempting to connect anywhere else as I deliberately rolled all the scripts etc. into one page to make it easier to manage on the controller.

The Skeleton framework is so flexible anyway I'm moving to that for everything now, just done a welcome page with it too (although bizarrely that doesn't play nicely using the Captive Portal native Welcome page option so had to store it on a different server and redirect instead)