Security

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

The server certificate on the controller and on ClearPass should have been issued by the certificate authorities listed here:  https://support.apple.com/en-us/HT213080

If that doesn't happen the CNA will not come up.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: May 18, 2022 02:12 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

As far as i can see, cert is known by Apple. (Screen capture)

So i misconfigured something ?

------------------------------
BILLOT Emmanuel
------------------------------

Original Message:
Sent: May 18, 2022 02:12 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Please open a technical support case so they can collect detailed information and get the bottom of your issue.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: May 18, 2022 02:51 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

As far as i can see, cert is known by Apple. (Screen capture)

So i misconfigured something ?

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 02:12 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Hi,

I really don't know how to do this...
Does it require any support contract ? I don't have anyone...

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Original Message:
Sent: May 18, 2022 08:45 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

Please open a technical support case so they can collect detailed information and get the bottom of your issue.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 02:51 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

As far as i can see, cert is known by Apple. (Screen capture)

So i misconfigured something ?

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 02:12 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Yes, opening a Support Case requires a valid support contract. Your Aruba partner may be able to assist you as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 19, 2022 03:23 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I really don't know how to do this...
Does it require any support contract ? I don't have anyone...

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 08:45 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

Please open a technical support case so they can collect detailed information and get the bottom of your issue.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 02:51 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

As far as i can see, cert is known by Apple. (Screen capture)

So i misconfigured something ?

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 02:12 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Hi,

I found was was missing : IOS try to check cert validity by contacting cert providers site. Or DNS alias of sites.
After "sniffing" all of DNS requests, i added sites to white list attached to profil with "name *.providersite" on Aruba 8.X

The last thing is to verify that captive.apple.com or aliases cannot be reached.

With these parameters, CNA is raised each time.

I had also a "blacklist" behaviour with mac adress that was stuck in endpoint database, after emptying it, all goes well.

Last thing, the "bypass CNA" option in clearpass must be removed.

Regards,

------------------------------
BILLOT Emmanuel
------------------------------

Original Message:
Sent: May 20, 2022 10:21 AM
From: Herman Robers
Subject: Clearpass IOS CNA "again"

Yes, opening a Support Case requires a valid support contract. Your Aruba partner may be able to assist you as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 19, 2022 03:23 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I really don't know how to do this...
Does it require any support contract ? I don't have anyone...

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 08:45 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

Please open a technical support case so they can collect detailed information and get the bottom of your issue.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 02:51 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

As far as i can see, cert is known by Apple. (Screen capture)

So i misconfigured something ?

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 02:12 PM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

Thanks for replying.
Clearpass is already configured with a public trusted cert. Controlers too.

If you mean Trusted CA signed cert (vs self signed). Cert is recognized by IPAD or Iphone when network connexion is done. This might mean that the cert is "good" ?

Regards,

------------------------------
BILLOT Emmanuel

Original Message:
Sent: May 18, 2022 01:38 PM
From: Colin Joseph
Subject: Clearpass IOS CNA "again"

At minimum you need a public certificate trusted by Apple on ClearPass and on the Controller that does the initial redirect.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 18, 2022 11:51 AM
From: BILLOT Emmanuel
Subject: Clearpass IOS CNA "again"

Hi,

I'm very sorry about asking this question again, but i cannot find any "good" response.
We use a classic Clearpass captive portal, all is going well for Windows, Androïd, and MacOS Books.

However, IOS devices do NOT open CNA when connect to SSID.

I found a post that explains how to "workaround"

Airheads Community

Airheads Community		remove preview
Airheads Community Product and Software:This article applies to all Aruba controllers and APs and all ArubaOS versions. Normally, when you implement captive portal for guest users, you need only these ACLs in the initial role: So, when the wireless guest users connect to an open SSID, they fall in the above mentioned Role "Logon" (Initial Role of AAA Profile). View this on Airheads Community >

It works. However no CNA... People have to open Safari to make it work.
People will say "my IOS device work in such public place", so i cannot know what we could do.

It seems that others captive portals have same issue.

Really no way to make CP work with IOS CNA ?

Regards,

------------------------------
BILLOT Emmanuel
------------------------------