Cloud Managed Networks

Hello,

We are having issues providing a sensible workflow to a customer for Apple devices connecting to a byod SSID which authenticates against Azure AD. The captive portal does not appear upon connection and Apple users need to instigate a http GET message which is then interrupted and the portal allows them to login. We have been working with Aruba TAC but we still do not seem to be able to get the portal prompting automatically.

My question is - should we enable prevent CNA: on our Web Login form?
My instinct says yes but I have been advised I should not do so.

Is anyone able to give me a definitive answer?

Thanks
Al

Hi 

We are issues MS Azure AD (AAD) Authenticates 802.1x?

Are you trying to authenticate by checking the device during user authentication?

Then you need to update the device information and other contents in XML form in User ID in that Azure AD.

You will need to check with MS Azure engineers for this part.

A lot of things like XML format and other needs happen.

In authentication, integration with Azuer AD must proceed in a different way than with traditional AD.

YouTube video sharing

ClearPass integration (v4) with Intune and Azure AD - Part 1.1 - YouTube


But the version is low, so you need to check

The title says 802.1X, your message describes captive portal login. What are you trying to do?

The Prevent CNA will prevent the automatic popup, which is needed if you want to use ClearPass Onboard to get your clients provisioned for 802.1X. With that option ticket you should not see the automatic popup, which looks to be the opposite of what you want.

For all devices to properly pop up for the captive portal, make sure you are using HTTPS based on a fqdn (not on IP), with public trusted certificates for all steps in the process (like controller/IAP and ClearPass will need to have a trusted certificate). If you see any certificate warnings or HTTP anywhere in the process, it's unlikely that the Apple devices will show the automatic popup.

If you want SSO against Azure AD to work (as the use has already authenticated for other applications), you should do that outside the CNA, in the same (Safari, Chrome, etc) browser that the user is logged into. If you combine 802.1X and Captive portal, I have seen some devices not triggering the popup when on an 802.1X network (just on open/PSK); so that may be happening here as well.

Is your question answered? If not, it may be good if you provide some more context and what you are doing.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: 8/17/2022 6:24:00 AM
From: Herman Robers
Subject: RE: 802.1x authentication to Azure AD

The title says 802.1X, your message describes captive portal login. What are you trying to do?

The Prevent CNA will prevent the automatic popup, which is needed if you want to use ClearPass Onboard to get your clients provisioned for 802.1X. With that option ticket you should not see the automatic popup, which looks to be the opposite of what you want.

For all devices to properly pop up for the captive portal, make sure you are using HTTPS based on a fqdn (not on IP), with public trusted certificates for all steps in the process (like controller/IAP and ClearPass will need to have a trusted certificate). If you see any certificate warnings or HTTP anywhere in the process, it's unlikely that the Apple devices will show the automatic popup.

If you want SSO against Azure AD to work (as the use has already authenticated for other applications), you should do that outside the CNA, in the same (Safari, Chrome, etc) browser that the user is logged into. If you combine 802.1X and Captive portal, I have seen some devices not triggering the popup when on an 802.1X network (just on open/PSK); so that may be happening here as well.

Is your question answered? If not, it may be good if you provide some more context and what you are doing.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

In similar cases, in general the issue is that the redirect that you have on your portal does a redirect over HTTP, or to an IP address. The captive portal redirect should be to an HTTPS URL, and be based on the fqdn for ClearPass where you will need a public trusted certificate.

If you can reproduce the issue from like a Macbook, you can run a tcpdump to see what is going on... client should try to connect to something like http://captive.apple.com/hotspot-detect.html; which should be redirected. If you allow-listed (or blocked) that URL, or ticked the Prevent CNA option in ClearPass, it probably will not popup the mini/login browser.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 17, 2022 04:51 PM
From: Alan Murray
Subject: 802.1x authentication to Azure AD

Thanks Herman,

 

What we are trying to do is to have users log into a BYOD SSID with their personal devices using Azure AD as the authentication source. This is working perfectly for Windows and Android devices. Where we are having difficulty is with Apple devices (iPhones, iPads and MacBooks).

 

When an Apple device connects the SSID shows as Unsecure Network which is expected as it is an open SSID. The user connects to the SSID and it then shows No Internet Access. The pop-up does not appear. If the user then opens a web page (we recommend neverssl.com) then the captive portal page appears and they can log in. We have configured two SSIDs – one of which simply brings up the Azure login page while the other goes to a page on ClearPass which presents a Log in to Microsoft button which they then click on to bring up the Azure login. The second method is working as expected in a lab environment but when we bring it into production we still have to force the captive portal to appear.

 

We have been working with Aruba TAC and our local SE for over a month now and we just don't seem to be able to make any progress.

 

Thanks

Alan

 

Original Message:
Sent: 8/17/2022 6:24:00 AM
From: Herman Robers
Subject: RE: 802.1x authentication to Azure AD

The title says 802.1X, your message describes captive portal login. What are you trying to do?

The Prevent CNA will prevent the automatic popup, which is needed if you want to use ClearPass Onboard to get your clients provisioned for 802.1X. With that option ticket you should not see the automatic popup, which looks to be the opposite of what you want.

For all devices to properly pop up for the captive portal, make sure you are using HTTPS based on a fqdn (not on IP), with public trusted certificates for all steps in the process (like controller/IAP and ClearPass will need to have a trusted certificate). If you see any certificate warnings or HTTP anywhere in the process, it's unlikely that the Apple devices will show the automatic popup.

If you want SSO against Azure AD to work (as the use has already authenticated for other applications), you should do that outside the CNA, in the same (Safari, Chrome, etc) browser that the user is logged into. If you combine 802.1X and Captive portal, I have seen some devices not triggering the popup when on an 802.1X network (just on open/PSK); so that may be happening here as well.

Is your question answered? If not, it may be good if you provide some more context and what you are doing.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------