Community Home > Discuss > Technology > Wireless Access > Apple CNA Issues

Wireless Access

Reply
dave1607
Contributor I
dave1607

Apple CNA Issues

‎08-07-2018 09:07 AM

Hi All

 

I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.

Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.

 

Dave

Alert a Moderator
Message 1 of 10
2,263 Views
Reply
0 Kudos
MVP
MVP
cclemmer

Re: Apple CNA Issues

‎08-07-2018 09:15 AM

@dave1607 wrote:

Hi All

 

I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.

Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.

 

Dave

It sounds as thought you're captive portal connection is being cached and so your client device is getting moved to the authenticated role automatically.


Charlie Clemmer
Aruba Customer Engineering
Alert a Moderator
Message 2 of 10
2,258 Views
Reply
0 Kudos
dave1607
Contributor I
dave1607

Re: Apple CNA Issues

‎08-09-2018 07:00 AM

I don't think it's being cached as when I do "show user-table" the client has the initial role, and the issue is still there after "aaa user delete mac <mac>".

 

Dave

Alert a Moderator
Message 3 of 10
2,197 Views
Reply
0 Kudos
MVP
MVP
cclemmer

Re: Apple CNA Issues

‎08-09-2018 07:11 AM

If the client is still in the initial role, then it doesn't sound as though captive portal authentication is working or I'm misunderstanding the process flow you're testing.

 

Yes, after deleting the user entry, the device should end up back in the initial role, so that behavior is consistent. What links are users trying to navigate prior to completing captive portal auth?


Charlie Clemmer
Aruba Customer Engineering
Alert a Moderator
Message 4 of 10
2,195 Views
Reply
0 Kudos
dave1607
Contributor I
dave1607

Re: Apple CNA Issues

‎08-09-2018 07:24 AM

Sorry, should have explained the process.

User associates and MAC auths against Clearpass, gets rejected so retains the Initial / captive portal role. They are redirected to the Clearpass captive portal which opens the Apple CNA. As soon as the CNA opens you see the "cancel" button change to "done" prior to the user doing anything. My understanding is that the button only changes once the device can access captive.apple.com, however the captive portal role does not allow any access to captive.apple.com, I've even tried adding an explicit deny for apple.com but this didn't make any difference.

 

Thanks

 

Dave

Alert a Moderator
Message 5 of 10
2,191 Views
Reply
0 Kudos
MVP
MVP
cclemmer

Re: Apple CNA Issues

‎08-09-2018 07:36 AM

Definitely strange. I agree, the CNA browser should not be switching to Done until clear access is available. I believe there are a few different destinations that can be checked in addition to captive.apple.com, but you have the right idea.

 

Are you using the default initial role (guest-logon) or something custom? Can you include the output from "show rights <initial-role>" from the controller, for whatever your initial role is? Also, what version of AOS are you running?


Charlie Clemmer
Aruba Customer Engineering
Alert a Moderator
Message 6 of 10
2,187 Views
Reply
0 Kudos
dave1607
Contributor I
dave1607

Re: Apple CNA Issues

‎08-09-2018 07:51 AM - edited ‎08-09-2018 07:53 AM

Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.

 

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 4
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 9/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = Open_Test

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         ra-guard              session
2         allow-clearpass-test  session
3         logon-control         session
4         captiveportal         session

ra-guard
--------
Priority  Source  Destination  Service          Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          icmpv6 rtr-adv                deny                             Low                                                           6
allow-clearpass-test
--------------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    clearpass-test  svc-https               permit                           Low                                                           4   
2         user    clearpass-test  svc-http                permit                           Low                                                           4   
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

Current OS version is 6.4.4.16

 

Thanks

 

Dave

Alert a Moderator
Message 7 of 10
2,175 Views
Reply
0 Kudos
buddy008
New Contributor
buddy008

Re: Apple CNA Issues

‎08-22-2018 04:31 PM

I am getting the same issue and customer is not happy. I have Public CA signed certificates for both Clearpass and Instant AP's. Clearpass is verision 6.6.9 and Instant AP's are version 8. I don't think this make a differnce to the issue. Just letting you know.

 

My issue also started two weeks ago. Do we know whether any other users expecing the same issue?

 

Thanks

Buddhi

Alert a Moderator
Message 8 of 10
2,027 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Apple CNA Issues

‎08-22-2018 04:55 PM

@dave1607 wrote:

Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.

 

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 4
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 9/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = Open_Test

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         ra-guard              session
2         allow-clearpass-test  session
3         logon-control         session
4         captiveportal         session

ra-guard
--------
Priority  Source  Destination  Service          Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any          icmpv6 rtr-adv                deny                             Low                                                           6
allow-clearpass-test
--------------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    clearpass-test  svc-https               permit                           Low                                                           4   
2         user    clearpass-test  svc-http                permit                           Low                                                           4   
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

Current OS version is 6.4.4.16

 

Thanks

 

Dave

You should do a packet capture for that client to see what the client could be doing:

- Forget the WLAN from the client's wireless networks

- Turn off the wireless nic of the client

- Delete the client from the user table on the controller's cli (aaa user delete mac <mac address of client>)

- Turn on packet capturing for that client:

 

packet-capture reset-pcap
packet-capture destination local-filesystem
packet-capture datapath mac <mac address of client> decrypted

-Enable the client's wireless nic and associate to the SSID.  Observe the behavior.

- Take a look at the client's wireless traffic to see what traffic the client is sending:

(aruba7640) #show packet-capture datapath-pcap 

18:49:26.970495 IP 192.168.1.1 > 224.0.0.1: igmp query v2
18:49:28.361216 IP 192.168.1.239.40859 > 172.217.9.138.443: Flags [P.], seq 3687845484:3687845515, ack 368191004, win 4329, options [nop,nop,TS val 19281407 ecr 3934040426], length 31
18:49:28.361281 IP 192.168.1.239.40859 > 172.217.9.138.443: Flags [F.], seq 31, ack 1, win 4329, options [nop,nop,TS val 19281414 ecr 3934040426], length 0
18:49:28.382341 IP 172.217.9.138.443 > 192.168.1.239.40859: Flags [R], seq 368191004, win 0, length 0
18:49:34.129610 IP 192.168.1.1 > 224.0.0.251: igmp query v2 [gaddr 224.0.0.251]
18:49:34.677221 IP 192.168.1.239.17553 > 8.8.8.8.53: 20054+ A? mobile.pipe.aria.microsoft.com. (48)
18:49:34.808386 IP 8.8.8.8.53 > 192.168.1.239.17553: 20054 5/0/0 CNAME prd.col.aria.mobile.skypedata.akadns.net., CNAME pipe.skype.com., CNAME pipe.prd.skypedata.akadns.net., CNAME pipe.cloudapp.aria.akadns.net., A 52.114.132.23 (199)
18:49:37.747091 ARP, Request who-has 192.168.1.239 (80:a5:89:33:69:75) tell 192.168.1.1, length 46
18:49:37.881564 ARP, Reply 192.168.1.239 is-at 80:a5:89:33:69:75, length 28

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 9 of 10
2,021 Views
Reply
0 Kudos
Rylo
Occasional Contributor II
Rylo

Re: Apple CNA Issues

‎02-11-2019 02:31 PM

Did you find anything on your capture. I plan om doing this soon. My CP Apple CNA saves the endpoint information but does not change the active role from the login role. Hope a packet capture shows something.
Alert a Moderator
Message 10 of 10
1,111 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium