- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
10-11-2018 07:23 AM - edited 10-11-2018 07:24 AM
Hey,
we have configure a guest-network with captive portal logon but we have trouble with apple ios devices.
The captive portal website is not open when the devices connected to the wireless network.
One solution is to whitelist some apple urls captive.apple.com airport.us thinkdifferent.us that answer with a "Success" welcome page for testing internet connection. After this test is successful the captive portal login is loading.
So my question is how can I whitelist this urls?
Greetings Wolfgang
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-11-2018 07:50 AM
You should not need to whitelist any urls in order for iOS to activate the captive network assist.
What version of ArubaOS are you running on your controller?
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-11-2018 07:54 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-11-2018 08:41 AM
Is it only iOS devices that are unable to detect they are behind a captive portal? Do Android devices detect the portal correctly?
Can you post the output from the following commands:
show aaa authentication captive-portal
show references aaa authentication captive-portal <captive portal profile>
show rights <user-role referencing captive portal profile>
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-11-2018 11:35 AM
only problems with ios devices, android devices works correctly
172.16.0.229 is the ip from the external captive portal website
(WLC01) #show aaa authentication captive-portal Captive Portal Authentication Profile List ------------------------------------------ Name References Profile Status ---- ---------- -------------- default 1 ExternalWebserver 1 Presse-cp_prof 1 test-cp_prof 0 VIP-cp_prof 1
(WLC01) #show references aaa authentication captive-portal ExternalWebserver References to Captive Portal Authentication Profile "ExternalWebserver" ----------------------------------------------------------------------- Referrer Count -------- ----- user-role "Externalcp" captive-portal 1 Total References:1
(WLC01) #show rights Externalcp Valid = 'Yes' CleanedUp = 'No' Derived Role = 'Externalcp' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Number of users referencing it = 10 Periodic reauthentication: Disabled DPI Classification: Enabled Youtube education: Disabled Web Content Classification: Enabled IP-Classification Enforcement: Enabled ACL Number = 73/0 Openflow: Disabled Max Sessions = 65535 Check CP Profile for Accounting = TRUE Captive Portal profile = ExternalWebserver Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 global-sacl session 2 apprf-Externalcp-sacl session 3 logon-control session 4 allow-external-webserver session 5 captiveportal session global-sacl ----------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedi a IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- apprf-Externalcp-sacl ------------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- logon-control ------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user any udp 68 deny Low 4 2 any any svc-icmp permit Low 4 3 any any svc-dns permit Low 4 4 any any svc-dhcp permit Low 4 5 any any svc-natt permit Low 4 6 any 169.254.0.0 255.255.0.0 any deny Low 4 7 any 240.0.0.0 240.0.0.0 any deny Low 4 allow-external-webserver ------------------------ Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user 172.16.0.229 svc-http permit Low 4 captiveportal ------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user controller svc-https dst-nat 8081 Low 4 2 user any svc-http dst-nat 8080 Low 4 3 user any svc-https dst-nat 8081 Low 4 4 user any svc-http-proxy1 dst-nat 8088 Low 4 5 user any svc-http-proxy2 dst-nat 8088 Low 4 6 user any svc-http-proxy3 dst-nat 8088 Low 4 Expired Policies (due to time constraints) = 0
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-11-2018 12:19 PM
Can you provide one additional output that I negelected to request:
show aaa authentication captive-portal ExternalWebserver
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-11-2018 01:11 PM
(WLC01) #show aaa authentication captive-portal ExternalWebserver Captive Portal Authentication Profile "ExternalWebserver" --------------------------------------------------------- Parameter Value --------- ----- Default Role authenticated Default Guest Role guest Server Group internal Redirect Pause 1 sec User Login Enabled Guest Login Disabled Logout popup window Enabled Use HTTP for authentication Enabled Logon wait minimum wait 5 sec Logon wait maximum wait 10 sec logon wait CPU utilization threshold 60 % Max Authentication failures 0 Show FQDN Disabled Authentication Protocol PAP Login page http://172.16.0.229 Welcome page http://www.beispiel.de Show Welcome Page Yes Add switch IP address in the redirection URL Disabled Adding user vlan in redirection URL Disabled Add a controller interface in the redirection URL N/A Allow only one active user session Disabled White List N/A Black List N/A Show the acceptable use policy page Disabled User idle timeout N/A Redirect URL N/A Bypass Apple Captive Network Assistant Disabled URL Hash Key N/A
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
10-11-2018 01:40 PM - edited 10-11-2018 01:43 PM
Is this SSID an open SSID, or is captive portal running on top of a WPA2 SSID? Curious why the captive portal page is running http and not https in order to secure the portal login from eavesdropping.
If you can run https on your portal, I would suggest modifying the allow-external-webserver policy to add a role allowing https to your portal in addition to http. iOS had started using https probes to check for a portal, so it may be having an issue with the redirect trying to switch from https to http.
Additionally, what is the external captive portal device? I have seen issues come up when the external captive portal was improperly handling the iOS cna probe ... in such a way that the iOS device would not prompt for the portal unless specifically using a browser. In that case though, we were redirecting to an https portal landing page, so it may not be the same issue coming into play here.
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-15-2018 05:41 AM - edited 10-15-2018 05:42 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: IOS Devices not open Captive Portal Login Page
10-15-2018 09:34 AM
What version of iOS?
Charlie Clemmer
Aruba Customer Engineering
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator