Wireless Access

I have an SSID that uses captive portal (username and password) to authenticate.

After they authenticate we send them to our company website via the Configuration>Authentication>L3 Authentication   -Captive Portal

-Check box in Show welcome page

-http://www.mycompany.com in the welcome page URL

On laptops this works without any problem. The person logs in and immediately gets redirected to our website.

On IPAD's and iPhones it does not work.

   - The captive portal page pops up right after you connect to the ssid but then just disappears after intering your login credentials.

Anyone run into this before?

Suggestions and comments gladly welcomed....

Thanks,

Mike

That is due to the fact that the Apple Captive Portal network assistant is being invoked.  Your i-Device (and MAC OSX Lion) will try to reach a URL at apple.com and retrieve a page.  If it cannot retrieve it, it will launch the Captive Portal Network Assistant and ask the client to login.  What that does is break the redirect functionality you are mentioning.  How to deal with that functionality using Amigopod is here:  http://www.arubanetworks.com/pdf/technology/Amigopod-CNA-bypass-AppNote.pdf

To deal with that using built-in ArubaOS is probably to allow all traffic to *.apple.com.  First, you would turn on the controller's built in DNS server, then turn on lookups.  Next you will define an alias of *apple.com:

config t
ip name-server 8.8.8.8
ip domain-name <your company.com>
ip domain-lookup
netdestination apple
name *.apple.com
exit

 You would then create a firewall policy that allows all http traffic to the apple alias and push that firewall policy to the top of your "logon" or initial role for your WLAN:

ip access-list session "apple-bypass"

any alias "apple" "svc-http" permit queue low
!
user-role "logon"
access-list session "logon-control" position 2
access-list session "captiveportal" position 3
access-list session "apple-bypass" position 1

logon of course is the initial role that your clients get.  It could be <your wlan-logon>.  Please insert the correct role in here.

Does that make sense?

That is an interesting approach - I'm thinking an important distinction however, if you allow that call to Apple the device will not think it's behind a captive portal, and the CNA won't display.  The user then will have to manually open a browser to get redireted to the portal to complete authentication.

If the user does not open a browser and  starts an application that uses for example port 993 - that traffic will be blocked until the user  finally realizes it's not working and opens their browser and authenticates.

In my experience that creates a confusing experiece for the client.

?

c

---

@cchandler wrote:

That is an interesting approach - I'm thinking an important distinction however, if you allow that call to Apple the device will not think it's behind a captive portal, and the CNA won't display.  The user then will have to manually open a browser to get redireted to the portal to complete authentication.

 

If the user does not open a browser and  starts an application that uses for example port 993 - that traffic will be blocked until the user  finally realizes it's not working and opens their browser and authenticates.

 

In my experience that creates a confusing experiece for the client.

 

?

c

 

 

---

I cannot speak for the typical user, but I can speak for my past behavior:

If I connect to a foreign network, I open a browser to see if I can surf before I expect other applications will work.  That is the only way I will know that I am passing traffic.  There are other users who might open an App and that won't work and they will fall back to the browser.

Is that particularly confusing?