Wireless Access

Contributor I

iPad, CP and CPNA... help?

Been reading about CPNA which jumps up on detection of CP to allow user to login so the device can very connectivity by retrieving the "Success" page..  Users are able to login to CP, but the "close button" doesnt work, I assume as it is appearing within the CPNA rather than the browser, consequently the conneciton is terminated.


Connection to apple therefre needs to be allowed without the need to lgoin to the CP, and therefore not invoke the CPNA?  Once the iPad has then done this, it would then be possible to activate it, the open safari and be presented with the CP?


Ive found this thread:



But cant even find how to enable the dns server on the gui!


Figuring it out..  slowly!!


config t
ip name-server
ip domain-name <your company.com>
ip domain-lookup
netdestination apple
name *.apple.com

 Cant seem to insert the list line

name *.apple.com







Contributor I

Re: iPad, CP and CPNA... help?

Ive been able to get this working by opening up the test captive portal to essentially go anywhere.. as I wasnt having any joy trying to restrict it to the "apple" alias.. however, I dont think Ive been able to configure this correctly, as it wouldnt accept the last line of code.


Most place I like, are wanting me to define an IP/Subnet for the destination network, which I very much doubt Im going to be able to find.  Ive gone onto cli to ping apple.com and it is resolving.... so this seems ok.. but it wont work unless I have the permit any/any at the top.. so tomthings not quite right somewhere...


Re: iPad, CP and CPNA... help?


  • You're using a setup with Controller having the captive portal.
  • The client you connect to the wireless lands in the guest-logon (or equivalent) role and is given basic network access through the logon-control and captiveportal policies.
  • The client is assigned correct network info (ip/gateway/dns etc).


This CLI command should then do it for you:


conf t

netdestination "apple.com"
name apple.com

ip access-list session "ios-cnafix"
alias "user" alias "apple.com" svc-http permit position 1 queue low


user-role "guest-logon"
access-list session "ios-cnafix" position 1


Basics here are to

  • create the alias for the destination you want to open access for
  • add that alias to a (new) firewall policy
  • add that firewall policy to the logon role which your users land in once connected

Another option I belive should give the same result would be the Walled Garden access (excerpt from 6.1UG, but should work the same in 5.x also):


(host)(config)# conf t

(host)(config)# netdestination "apple.com"
(host)(config)#name apple.com



(host) (config) #aaa authentication captive-portal default
(host)(Captive Portal Authentication Profile "default")#white-list apple.com

(host)(Captive Portal Authentication Profile "default")#!


John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: iPad, CP and CPNA... help?

Thanks for your assistnace..


failing at the first hurdle again!


conf t

netdestination "apple.com"
name apple.com

" name" isnt a recognised command...


 (config) #netdestination "apple.com"
 (config-dest) #name
% Invalid input detected at '^' marker.

 (config-dest) #?
host                    Configure a single host
invert                  Use all destinations EXCEPT this destination
network                 Configure a subnet
no                      Delete Command
range                   Configure a range of IP addresses

 I carried on regardless.. and saw the config in the gui.. which was the same as Id tried before.. and the cna still pops up. domain lookup is enabled and I can ping apple.com.. so I know its resolving from the box ok.


We are using an upstream proxy server, but this info should be getting obtained from wpad.dat file.. which is the first rule in the guest logon policy.  I know the wpad file works, as when on !auto" and logged in, I can see conections going through the proxy server... 


For sanity testing.. I added an "any any permit" rule which worked... so Im 99.9% sure it is an aruba fw config issue...  Ive tried hosting the "success" page on the proxy/dns server with a static dns entry resolivng apple.com to itself.. and successfully tested with the www.apple.com/library/test/success.html.. but still didnt work.  Ive tried an apple.com destination nat to the proxy server, hoping to retrieve the "success" page this way.. but that didnt work either!



Search Airheads
Showing results for 
Search instead for 
Did you mean: