Wireless Access

I've noticed that the captive portal no longer automatically pops up for our users when they connect to the guest SSID. It used to before but now it doesn't. If the user opens any browser on a Mac, they are forwarded to the Aruba captive portal. However, it doesn't automatically pop up when the user connects to the SSID like it used to. This is not a problem on Windows.

i assume you are using ClearPass for guest?

 

Did you enable the captive portal assistant settings in CPPM? http://community.arubanetworks.com/t5/Validated-Reference-Design/Apple-Captive-Network-Assistant-Bypass-with-ClearPass-Guest/ta-p/155618

 

Also there Captive Portal assistant does a check to a specifc apple URL to check for internet connectivity. If it gets a redirect it knows it is behind a captive portal. Have you updated the pre-auth role ACL to allow any apple access? If the cleints can reach this page without any block or redirect, they will not know they are behind a captive portal.

We are not using clearpass and we have not added any apple access to the pre-auth role

Apple constantly changes the behavior. It's a losing battle.

To test, try forgetting the network then reconnecting. Do you get the CNA?

I don't think it's Apple. And that didn't work.

Working with TAC on this. After several hours, and spanning multiple days, we're still unable to get the Apple Captive Portal Assistant to pop up using Aruba OS 6.4.4.11.

 

The engineer believes there to be a bug in this OS version. I'll update the thread once we figure it out.

Well TAC couldn't figure it out but I'm halfway there. I noticed in the release notes for 6.4.4.10 that the default certificate included with Aruba OS 6.4.4.9 and below, has been revoked for security reasons. A public CA is now required for the Apple Captive Portal Assistant to work properly. It's crazy how TAC didn't know this right off the bat.

 

I uploaded our wildcard certficate and the Apple Captive Portal Assistant now pops up when connecting to our guest network. However, after logging-in, we're getting the error message, "A problem occurred. The webpage couldn't be loaded." I notice that the URL of the captiveportal page is now captiveportal-login.domain instead of securelogin.arubanetworks.domain, which maps to our controllers main IP. The guest network blocks all internal traffic by design.

 

Does anyone know the next step?

 

Revocation of ArubaOS Default Certificate Issued by GeoTrust

The controller-issued server certificate replaces the ArubaOS default certificate issued by GeoTrust Public CA for WebUI authentication, Captive Portal, 802.1X termination, and Single Sign-On (SSO) because the default certificate is now revoked.

For more information on the GeoTrust Public CA certificate revocation, refer to the advisory.

Using the controller-issued server certificate has the following caveats:



When MacBook or iOS devices connect to Captive Portal, the CNA (Captive Network Assistant) popup does not appear. So, you must open a browser to get redirected to a Captive Portal page.

The CNA works over http, so it should always have worked, really.

 

When you upload a wildcard certificate the redirection URL should be captiveportal-login.domain, so you should adjust accordingly.

 

That is all I am willing to say, because I am not aware of what dealings you had with support. 

Thanks cjoseph, what adjustments are needed? Support hasn't been great. This is 3 weeks since submitting the ticket and I had to find out for myself that a public CA is needed since 6.4.4.10.

Are you using a captive portal internal to the controller or external to the controller?

Internal. I followed the instructions in the Aruba OS user guide to create a guest network and use the captive portal.

What is your "logon" acl?  type show rights <logon role>

(Aruba7210) #show rights guest-logon

 

Valid = 'Yes'

CleanedUp = 'No'

Derived Role = 'guest-logon'

Up BW:No Limit   Down BW:No Limit 

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Number of users referencing it = 18

Periodic reauthentication: Disabled

DPI Classification: Enabled

Youtube education: Disabled

Web Content Classification: Enabled

ACL Number = 9/0

Max Sessions = 65535

 

Check CP Profile for Accounting = TRUE

Captive Portal profile = Sem Guest

 

Application Exception List

--------------------------

Name  Type

----  ----

 

Application BW-Contract List

----------------------------

Name  Type  BW Contract  Id  Direction

----  ----  -----------  --  ---------

 

access-list List

----------------

Position  Name                Type     Location

--------  ----                ----     --------

1         captiveportal       session 

2         guest-logon-access  session 

 

captiveportal

-------------

Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4        

2         user    any          svc-http                      dst-nat 8080                           Low                                                           4        

3         user    any          svc-https                     dst-nat 8081                           Low                                                           4        

4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4        

5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4        

6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4        

guest-logon-access

------------------

Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract

--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

1         user    any          udp 68                 deny                             Low                                                           4        

2         any     any          svc-dhcp               permit                           Low                                                           4        

3         user    Public-DNS   svc-dns                permit                           Low                                                           4        

 

Expired Policies (due to time constraints) = 0