Wireless Access

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
New Contributor

ClearPass Captive Portal and Social Login MFA with iOS Devices

Hi Airheads,

 

We are currently using Clearpass Guess Self-Registration with Social Logins (Microsoft Azure AD) which is working fine however running into the following issue when it comes to MFA (Azure AD MFA during the Social Login process) using iOS devices (iPhone and iPads).

 

Issue 1: Disable CNA Option

- User connects to WiFi
- Apples Captive Network Assistant brings up the Captive Portal (Clearpass)
- User select Microsoft Azure AD social login
- User enters credentials
- User prompted for MFA Challenge (This is from AzureAD)
- User switches to SMS App or Authenticator app to retrieve code - This action closes the Apple Captive Network Assistant and user cannot proceed as Apple CNA starts again and repeats the above loop without success

 

Issue 2: Enable CNA Option

- User Connects to WiFi
- iPad/iPhone does not auto launch browser to captive portal
- User tries to open Safari App, not redirected to captive portal
- User can however type the URL to the ClearPass Guest Captive Portal and proceed successfully and authenticate using Microsoft Azure AD social login + MFA
Note: If the user has Google Chrome App installed on iPad/iPhone they are redirected to our Clearpass Captive Portal automically (not sure if this is a Safari issue or Apple device limitation)

 

Has anyone had any success in moving past this? I assume the same issues above would happen using say the social login for Facebook or gmail if the user had MFA enabled on their respective accounts?

 

Any Assistance or advise would be greatly appreciated

 

Highlighted
Aruba Employee

Re: ClearPass Captive Portal and Social Login MFA with iOS Devices

Hi,

 

Issue 1 is normal. This is how Apple devices work (the popup browser automatically closes once you go check the SMS) so if you really need to do MFA you have to go with option 2.

 

Issue 2..These are possible things to test

Once you open the browser, if you type any URL do you get redirected?

If not, if you type any IP address like http://1.2.3.4, do you get redirected?

Do you have a trusted certificate that is properly installed on ClearPass?

 

Are you testing with Instant AP? There was someone else reporting such issue and they said it got solved with firmware upgrade https://community.arubanetworks.com/t5/Security/No-Captive-Portal-redirect-on-iPhones-only/m-p/658485#M100320

 

 

Highlighted
New Contributor

Re: ClearPass Captive Portal and Social Login MFA with iOS Devices

Hi Ayman

 

Agree with Option 1. 

 

In Option 2 the following happens when using the safari app;

- types in google.com or any other website and nothing happens

- If you type in an IP i.e 8.8.8.8 it redirects to our Captive Portal with no issue.

 

In Option 2 if we use the Chrome App (instead of Safari) then when the user tries to go to any website it automatically directs to the captive portal (Expected behavior).

 

I've confirmed that all the certificates are trusted in Clearpass. We aren't using IAPs in our instance however running a 7205 Controller (which also has a public certificate on it and not using the default Aruba one).

 

 

Highlighted
Aruba Employee

Re: ClearPass Captive Portal and Social Login MFA with iOS Devices

Hi,

 

Based on the below, it looks like that while you are using Safari, the DNS requests are not being resolved and that's why you are not getting redirected. Did you try to clear the cache of Safari? Is it happening on all devices?

 

"In Option 2 the following happens when using the safari app;

- types in google.com or any other website and nothing happens

- If you type in an IP i.e 8.8.8.8 it redirects to our Captive Portal with no issue"

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: