Wireless Access

rout86 · ‎10-11-2018

Hey,

we have configure a guest-network with captive portal logon but we have trouble with apple ios devices.

The captive portal website is not open when the devices connected to the wireless network.

One solution is to whitelist some apple urls captive.apple.com airport.us thinkdifferent.us that answer with a "Success" welcome page for testing internet connection. After this test is successful the captive portal login is loading.

So my question is how can I whitelist this urls?

Greetings Wolfgang

cclemmer · ‎10-11-2018

You should not need to whitelist any urls in order for iOS to activate the captive network assist.

What version of ArubaOS are you running on your controller?

Charlie Clemmer
Aruba Customer Engineering

rout86 · ‎10-11-2018

thank you for your answer. controller is a 7210 and firmware is 6.5.4.8 If another solution is better always come with it

cclemmer · ‎10-11-2018

Is it only iOS devices that are unable to detect they are behind a captive portal? Do Android devices detect the portal correctly?

Can you post the output from the following commands:

show aaa authentication captive-portal

show references aaa authentication captive-portal <captive portal profile>

show rights <user-role referencing captive portal profile>

Charlie Clemmer
Aruba Customer Engineering

rout86 · ‎10-11-2018

only problems with ios devices, android devices works correctly

172.16.0.229 is the ip from the external captive portal website

(WLC01) #show aaa authentication captive-portal

Captive Portal Authentication Profile List
------------------------------------------
Name                References  Profile Status
----                ----------  --------------
default             1
ExternalWebserver   1
Presse-cp_prof  1
test-cp_prof    0
VIP-cp_prof     1

(WLC01) #show references aaa authentication captive-portal ExternalWebserver

References to Captive Portal Authentication Profile "ExternalWebserver"
-----------------------------------------------------------------------
Referrer                                   Count
--------                                   -----
user-role "Externalcp" captive-portal  1
Total References:1

(WLC01) #show rights Externalcp

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'Externalcp'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 10
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 73/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = ExternalWebserver

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                       Type     Location
--------  ----                       ----     --------
1         global-sacl                session
2         apprf-Externalcp-sacl  session
3         logon-control              session
4         allow-external-webserver   session
5         captiveportal              session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedi                                                       a  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-Externalcp-sacl
-------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
allow-external-webserver
------------------------
Priority  Source  Destination   Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------   -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    172.16.0.229  svc-http               permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

cclemmer · ‎10-11-2018

Can you provide one additional output that I negelected to request:

show aaa authentication captive-portal ExternalWebserver

Charlie Clemmer
Aruba Customer Engineering

rout86 · ‎10-11-2018

(WLC01) #show aaa authentication captive-portal ExternalWebserver

Captive Portal Authentication Profile "ExternalWebserver"
---------------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       authenticated
Default Guest Role                                 guest
Server Group                                       internal
Redirect Pause                                     1 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Enabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         http://172.16.0.229
Welcome page                                       http://www.beispiel.de
Show Welcome Page                                  Yes
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A

cclemmer · ‎10-11-2018

Is this SSID an open SSID, or is captive portal running on top of a WPA2 SSID? Curious why the captive portal page is running http and not https in order to secure the portal login from eavesdropping.

If you can run https on your portal, I would suggest modifying the allow-external-webserver policy to add a role allowing https to your portal in addition to http. iOS had started using https probes to check for a portal, so it may be having an issue with the redirect trying to switch from https to http.

Additionally, what is the external captive portal device? I have seen issues come up when the external captive portal was improperly handling the iOS cna probe ... in such a way that the iOS device would not prompt for the portal unless specifically using a browser. In that case though, we were redirecting to an https portal landing page, so it may not be the same issue coming into play here.

Charlie Clemmer
Aruba Customer Engineering

rout86 · ‎10-15-2018

Hello Charlie, so for testing, I´ve created a new SSID (open SSID) with a internal Aruba Mobility Controller Captive Portal page, upload a trusted certificate and test with windows, ios and android devices. Windows and Android devices without problems, ios same problems. no opening captive portal website automatically, manually works.

cclemmer · ‎10-15-2018

What version of iOS?

Charlie Clemmer
Aruba Customer Engineering

Wireless Access

IOS Devices not open Captive Portal Login Page

IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Re: IOS Devices not open Captive Portal Login Page

Follow Us