- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Apple CNA Issues
08-07-2018 09:07 AM
Hi All
I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.
Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.
Dave
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-07-2018 09:15 AM
@dave1607 wrote:Hi All
I have an issue with the Apple Captive Network Assistant on iOS devices. When I connect to my open network which has a captive portal, hosted on Clearpass, the CNA pops up but the "Cancel" button imediately switches to "Done" before any login has happened. The captive portal authentication works correctly but when any links are clicked from within the CNA, the phone opens a full safari window rather than just opening within the CNA.
Has anyone else had this issue or have any idea where to look, I've tried adding a deny for apple.com into my initial role but this hasn't made any difference.
Dave
It sounds as thought you're captive portal connection is being cached and so your client device is getting moved to the authenticated role automatically.
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-09-2018 07:00 AM
I don't think it's being cached as when I do "show user-table" the client has the initial role, and the issue is still there after "aaa user delete mac <mac>".
Dave
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-09-2018 07:11 AM
If the client is still in the initial role, then it doesn't sound as though captive portal authentication is working or I'm misunderstanding the process flow you're testing.
Yes, after deleting the user entry, the device should end up back in the initial role, so that behavior is consistent. What links are users trying to navigate prior to completing captive portal auth?
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-09-2018 07:24 AM
Sorry, should have explained the process.
User associates and MAC auths against Clearpass, gets rejected so retains the Initial / captive portal role. They are redirected to the Clearpass captive portal which opens the Apple CNA. As soon as the CNA opens you see the "cancel" button change to "done" prior to the user doing anything. My understanding is that the button only changes once the device can access captive.apple.com, however the captive portal role does not allow any access to captive.apple.com, I've even tried adding an explicit deny for apple.com but this didn't make any difference.
Thanks
Dave
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-09-2018 07:36 AM
Definitely strange. I agree, the CNA browser should not be switching to Done until clear access is available. I believe there are a few different destinations that can be checked in addition to captive.apple.com, but you have the right idea.
Are you using the default initial role (guest-logon) or something custom? Can you include the output from "show rights <initial-role>" from the controller, for whatever your initial role is? Also, what version of AOS are you running?
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-09-2018 07:51 AM - edited 08-09-2018 07:53 AM
Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.
Valid = 'Yes' CleanedUp = 'No' Derived Role = 'guest-logon' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Number of users referencing it = 4 Periodic reauthentication: Disabled DPI Classification: Enabled Youtube education: Disabled Web Content Classification: Enabled ACL Number = 9/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Captive Portal profile = Open_Test Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 ra-guard session 2 allow-clearpass-test session 3 logon-control session 4 captiveportal session ra-guard -------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user any icmpv6 rtr-adv deny Low 6 allow-clearpass-test -------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user clearpass-test svc-https permit Low 4 2 user clearpass-test svc-http permit Low 4 logon-control ------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user any udp 68 deny Low 4 2 any any svc-icmp permit Low 4 3 any any svc-dns permit Low 4 4 any any svc-dhcp permit Low 4 5 any any svc-natt permit Low 4 6 any 169.254.0.0 255.255.0.0 any deny Low 4 7 any 240.0.0.0 240.0.0.0 any deny Low 4 captiveportal ------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user controller svc-https dst-nat 8081 Low 4 2 user any svc-http dst-nat 8080 Low 4 3 user any svc-https dst-nat 8081 Low 4 4 user any svc-http-proxy1 dst-nat 8088 Low 4 5 user any svc-http-proxy2 dst-nat 8088 Low 4 6 user any svc-http-proxy3 dst-nat 8088 Low 4 Expired Policies (due to time constraints) = 0
Current OS version is 6.4.4.16
Thanks
Dave
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-22-2018 04:31 PM
I am getting the same issue and customer is not happy. I have Public CA signed certificates for both Clearpass and Instant AP's. Clearpass is verision 6.6.9 and Instant AP's are version 8. I don't think this make a differnce to the issue. Just letting you know.
My issue also started two weeks ago. Do we know whether any other users expecing the same issue?
Thanks
Buddhi
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
08-22-2018 04:55 PM
@dave1607 wrote:
Output from "show rights guest-logon" below, clearpass test is the Clearpass server where the captive portal is hosted.
Valid = 'Yes' CleanedUp = 'No' Derived Role = 'guest-logon' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Number of users referencing it = 4 Periodic reauthentication: Disabled DPI Classification: Enabled Youtube education: Disabled Web Content Classification: Enabled ACL Number = 9/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Captive Portal profile = Open_Test Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 ra-guard session 2 allow-clearpass-test session 3 logon-control session 4 captiveportal session ra-guard -------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user any icmpv6 rtr-adv deny Low 6 allow-clearpass-test -------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user clearpass-test svc-https permit Low 4 2 user clearpass-test svc-http permit Low 4 logon-control ------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user any udp 68 deny Low 4 2 any any svc-icmp permit Low 4 3 any any svc-dns permit Low 4 4 any any svc-dhcp permit Low 4 5 any any svc-natt permit Low 4 6 any 169.254.0.0 255.255.0.0 any deny Low 4 7 any 240.0.0.0 240.0.0.0 any deny Low 4 captiveportal ------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user controller svc-https dst-nat 8081 Low 4 2 user any svc-http dst-nat 8080 Low 4 3 user any svc-https dst-nat 8081 Low 4 4 user any svc-http-proxy1 dst-nat 8088 Low 4 5 user any svc-http-proxy2 dst-nat 8088 Low 4 6 user any svc-http-proxy3 dst-nat 8088 Low 4 Expired Policies (due to time constraints) = 0Current OS version is 6.4.4.16
Thanks
Dave
You should do a packet capture for that client to see what the client could be doing:
- Forget the WLAN from the client's wireless networks
- Turn off the wireless nic of the client
- Delete the client from the user table on the controller's cli (aaa user delete mac <mac address of client>)
- Turn on packet capturing for that client:
packet-capture reset-pcap packet-capture destination local-filesystem packet-capture datapath mac <mac address of client> decrypted
-Enable the client's wireless nic and associate to the SSID. Observe the behavior.
- Take a look at the client's wireless traffic to see what traffic the client is sending:
(aruba7640) #show packet-capture datapath-pcap 18:49:26.970495 IP 192.168.1.1 > 224.0.0.1: igmp query v2 18:49:28.361216 IP 192.168.1.239.40859 > 172.217.9.138.443: Flags [P.], seq 3687845484:3687845515, ack 368191004, win 4329, options [nop,nop,TS val 19281407 ecr 3934040426], length 31 18:49:28.361281 IP 192.168.1.239.40859 > 172.217.9.138.443: Flags [F.], seq 31, ack 1, win 4329, options [nop,nop,TS val 19281414 ecr 3934040426], length 0 18:49:28.382341 IP 172.217.9.138.443 > 192.168.1.239.40859: Flags [R], seq 368191004, win 0, length 0 18:49:34.129610 IP 192.168.1.1 > 224.0.0.251: igmp query v2 [gaddr 224.0.0.251] 18:49:34.677221 IP 192.168.1.239.17553 > 8.8.8.8.53: 20054+ A? mobile.pipe.aria.microsoft.com. (48) 18:49:34.808386 IP 8.8.8.8.53 > 192.168.1.239.17553: 20054 5/0/0 CNAME prd.col.aria.mobile.skypedata.akadns.net., CNAME pipe.skype.com., CNAME pipe.prd.skypedata.akadns.net., CNAME pipe.cloudapp.aria.akadns.net., A 52.114.132.23 (199) 18:49:37.747091 ARP, Request who-has 192.168.1.239 (80:a5:89:33:69:75) tell 192.168.1.1, length 46 18:49:37.881564 ARP, Reply 192.168.1.239 is-at 80:a5:89:33:69:75, length 28
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Apple CNA Issues
a week ago
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
