Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

This thread has been viewed 16 times

  • 1.  Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    Posted Aug 04, 2017 06:30 PM

    I have an IAP 115 running code version 6.5.2.0.

     

    I have set up a captive portal for guest access.  I'm using the simple "Internal - Acknowledged" captive portal with all other options disabled (i.e. no proxy, MAC auth, blacklisting, DHCP enforcement or encryption)

     

    On Windows and Android devices the captive portal is automatically displayed when the device connects to the SSID however on Apple devices, Apple's CNA is not triggered and the user has to manually launch a browser and attempt to browse to a website to get the captive portal page.  This is confusing for many users and causing them to think they have internet connectivity as soon as they connect to the guest SSID.

     

    Is there a specific configuration setting in the GUI or CLI to get CNA working on Apple devices?

     

    Thank you!



  • 2.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    EMPLOYEE
    Posted Aug 04, 2017 06:46 PM

    Are you allowing any domains/subnets/IPs in your preauthentication role?



  • 3.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    Posted Aug 04, 2017 06:49 PM

    I don't have a wireless pre-authentication role configured.  Just the two default roles "default_wired_port_profile" and "wired-SetMeUp" roles are defined along with the guest SSID I created.



  • 4.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    Posted Aug 04, 2017 09:01 PM

    Another point to note:

     

    My understanding of how CNA works is that when an Apple device connects to a WLAN it tries to connect to captive.apple.com and if it is unable to connect and receive the "success" message then it believes it is behind a captive portal and the CNA page is displayed.

     

    I have even tried to create an inbound firewall rule to block captive.apple.com (which resolves to 17.253.25.205) and deny http from that host to all destinations and CNA still is not triggered.

     

    I am starting to think that the IAP is somehow spoofing the success page which is making the iOS device believe it is not behind a captive portal, hence CNA is not activated when joining the guest network.

     

    Is this by design?  I cannot figure out why this will not work... all of the forums talk about options to enable/disable CNA bypass using ArubaOS or Clearpass but I do not see such an option on Instant!  Surely there is a way to fix this?

     

    Please help.

     

    Thanks!



  • 5.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    EMPLOYEE
    Posted Aug 04, 2017 09:19 PM

    No, IAP doesn't bypass captive portal connectivity checks. Please open a TAC case.



  • 6.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115
    Best Answer

    Posted Aug 16, 2017 08:32 PM

    TAC case was opened and issue has been resolved.  The fix was to install a public signed certificate for the captive portal.  CNA will not work on IAP with a self-signed certificate.



  • 7.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    Posted Jun 07, 2018 12:39 PM

    Hi everyone!

     

    I have the same issue with Apple devices and Aruba Instant Captive Portal. I think Aruba should fix this issue on another way. My enterprise is an small bussiness and we have a POC about Aruba Instant in a client. The public certified should be deliver by Aruba TAC to fix this problem without

    @jndreu wrote:

    TAC case was opened and issue has been resolved.  The fix was to install a public signed certificate for the captive portal.  CNA will not work on IAP with a self-signed certificate.


    users requery a OWN PUBLIC CERTIFIED.



  • 8.  RE: Not getting Apple Captive Network Assistant (CNA) page with captive portal on IAP115

    Posted Nov 05, 2019 05:26 PM

    We have this issue with campus ap environment, am I still required to use a public signed cert?

     

    Do my initial guest role settings look correct?

     

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'tog_guest-guest-logon'
    Up BW:No Limit Down BW:No Limit
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Number of users referencing it = 20
    Periodic reauthentication: Disabled
    DPI Classification: Enabled
    Youtube education: Disabled
    Web Content Classification: Enabled
    IP-Classification Enforcement: Enabled
    ACL Number = 96/0
    Openflow: Enabled
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE
    Captive Portal profile = tog_guest-guest-logon_cppm_sg

    Application Exception List
    --------------------------
    Name Type
    ---- ----

    Application BW-Contract List
    ----------------------------
    Name Type BW Contract Id Direction
    ---- ---- ----------- -- ---------

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 global-sacl session
    2 apprf-tog_guest-guest-logon-sacl session
    3 allow-clearpass-guest session
    4 logon-control session
    5 captiveportal session

    global-sacl
    -----------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    apprf-tog_guest-guest-logon-sacl
    --------------------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    allow-clearpass-guest
    ---------------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 any 172.16.100.8 svc-https permit Low 4
    2 any 172.16.100.8 svc-http permit Low 4
    logon-control
    -------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user any udp 68 deny Low 4
    2 any any svc-icmp permit Low 4
    3 any any svc-dns permit Low 4
    4 any any svc-dhcp permit Low 4
    5 any any svc-natt permit Low 4
    6 any 169.254.0.0 255.255.0.0 any deny Low 4
    7 any 240.0.0.0 240.0.0.0 any deny Low 4
    captiveportal
    -------------
    Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
    -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
    1 user controller svc-https dst-nat 8081 Low 4
    2 user any svc-http dst-nat 8080 Low 4
    3 user any svc-https dst-nat 8081 Low 4
    4 user any svc-http-proxy1 dst-nat 8088 Low 4
    5 user any svc-http-proxy2 dst-nat 8088 Low 4
    6 user any svc-http-proxy3 dst-nat 8088 Low 4

    Expired Policies (due to time constraints) = 0
    (homearmc01) [MDC] *#