@danW I understand not reading my entire post, it is long and full of caveats. Honestly, the fact we have all spent countless days and hours on this subject is a bit sad, and the problems isn't with Aruba!
Let me qualify that my iOS workaround, I don't feel is a real solution.
Once you accept the captive portal, on iOS, and allow Internet access, the chance that the 'auto-login' option will auto-magicly disappear starts. I found that if I force the session to expire, every 4 hours, triggering a new captive portal, this seems to reduce the change that the iOS 'auto-login' will disappear. This isn't much of a solution, and in reality, would anger users if they have to reauthorize several times a day!
Regardless, if you reboot your iOS device, and it reconnects without having to accept the captive portal, there is still a chance that the 'auto-login' option will disappear. If your iOS device updates the OS while authorized, there seems to be a 100% chance the 'auto-login' option will disappear.
As you've now figured out, the pattern to this issue with iOS, and only long-term solution is to forget the Wi-Fi connection and reconnect.
Original Message:
Sent: Feb 14, 2023 02:36 AM
From: danW
Subject: Apple iOS devices not open Captive Portal Login Page automatically
@devocite I`ve to apologize but I didn't read your first post completely... THANK YOU, it`s a great job you did, in troubleshooting that weird behavior of the iOS devices! When you talk about the "Auto-Login" in the WiFi profile you mean the iOS device?! I´ve tried it out and deleted/ignored the SSID /w captive-portal on my device and when I connected back - voilà - the connectivity check to captive.apple.com takes place and after that immediatly my captive-portal page pops up with no further problems!
so it looks like the cause of the problem in my case is as well == If iOS is continuously connected, without a lapse in Internet access, for an extended period of time, the Auto-Login option is removed from the iOS WiFi profile.
If my understanding is correct, you´ve found/build a workaround which could obviate that from happening in ...the only way I've been able to ensure the option doesn't disappear is to force a captive portal every 4 hours. my I ask you what you exactly mean with that and what you´ve changed in the Clearpass settings?
Original Message:
Sent: Feb 13, 2023 09:29 PM
From: devocite
Subject: Apple iOS devices not open Captive Portal Login Page automatically
I've found that if you allow the Aruba Controller to setup the captive portal Role, ACLs, etc, and your certificate is setup correctly, the controller does a great job of making injecting the captive portal in the middle of everything.
It does help to make sure DHCP option 114 is setup with the FQDN to your captive portal. Also, the URL, in the option 114 must match the certificate name.
Per my earlier post: "An important fact about iOS WiFi handling of Captive Portal:
When an iOS device initially connects to a WiFi and detects Captive Portal, the option Auto-Login is added when WiFi profile created.
This option is what allows the iOS device to detect and display the Captive Portal, for login."
I've found that the the Auto-Login will mysteriously disappear from the iOS WiFi. The only way to fix it is to forget and reconnect.
Original Message:
Sent: Feb 13, 2023 12:01 PM
From: danW
Subject: Apple iOS devices not open Captive Portal Login Page automatically
@Herman Robers and @cordless
I´m dealing also with the issue that "no automatically redirection to the HTTPS hosted captive-portal happens" and when I try to reach out to the internet manually a "certificate warning" pops up!
In my case, I´ve a public signed certificate for the captive-portal and as well the unlikley solution of a private IP-Address as a DNS A Record set on the public Domain-Servers! I´m using an iPhone with Firmware Version 16.3 and all installed browsers are affected... no clue what the cause of the reason is but it`s very annoying what Apple is doing here, because till yet I did`nt find a useful post nor solution on their online sources :(
Original Message:
Sent: Jan 16, 2023 09:56 AM
From: cordless
Subject: Apple iOS devices not open Captive Portal Login Page automatically
Have you seen this - https://developer.apple.com/forums/thread/715416
Seems that Apple changes the behaviour with iOS16
even when you provide an internal DNS Server iOS uses the external for Address Resolution. And External does not know anything about your Captive Portal solution. So the Authentication fails.
Even with the correct Certificate installed. Only solution I found was an DNS redirect by the Firewall to internal DNS or have public DNS Record for your Guest Solution, which is very unlikly.
Original Message:
Sent: Nov 10, 2022 08:39 AM
From: jsanta13
Subject: Apple iOS devices not open Captive Portal Login Page automatically
We had captive.apple.com whitelisted for years to make captive portals work, then they suddenly stopped working last week, in troubleshooting we removed captive.apple.com from the whitelist and it started working again, thinking maybe they made a change to how iOS handles captive portals.
Original Message:
Sent: Jul 20, 2022 04:54 PM
From: Attila S
Subject: Apple iOS devices not open Captive Portal Login Page automatically
Hi Guys!
We would like to implement a guest Captive Portal solution with UAP policy. (with internal custom login page)
I made configurations based on User Guide, solutions works fine on Windows and Android devices (Login Page automatically opens or device alerts user to tap to open page). Apple devices can connect also, but no alert displayed to open Login Page. If a user opens a Safari browser and try to go to any webpage, it redirected to Login Page, but we need this to work automatically.
I made a second guest WLAN with absolute same settings, but default template Captive Portal Login Page was used. If an Apple device connects to the second SSID, Aruba login page is opened automatically.
Based on this experience, I suspect that there might be a problem with the html code of the custom page?
AOS 8.6.0.18
Some outputs:
(wlc01) [mynode] #show aaa authentication captive-portal aguest_cppm_prof
Captive Portal Authentication Profile "aguest_cppm_prof"
--------------------------------------------------------
Parameter Value
--------- -----
Default Role guest
Default Guest Role guest
Server Group default
Redirect Pause 10 sec
User Login Disabled
Guest Login Disabled
Logout popup window Disabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Max Authentication failures 0
Show FQDN Disabled
Authentication Protocol PAP
Login page /upload/custom/aguest_cppm_prof/aguest.html
Welcome page /auth/welcome.html
Show Welcome Page No
Add switch IP address in the redirection URL Disabled
Adding user vlan in redirection URL Disabled
Adding AP's MAC address in redirection URL Disabled
Add a controller interface in the redirection URL N/A
Allow only one active user session Disabled
White List N/A
Black List N/A
Show the acceptable use policy page Enabled
User idle timeout N/A
Redirect URL https://company.com
Bypass Apple Captive Network Assistant Disabled
URL Hash Key N/A
(wlc01) [mynode] #
(wlc01) [mynode] #show references aaa authentication captive-portal aguest_cppm_prof
References to Captive Portal Authentication Profile "aguest_cppm_prof"
----------------------------------------------------------------------
Referrer Count
-------- -----
/sc:user-role "aguest-guest-logon" captive-portal 1
(wlc01) [mynode] #
Thanks!