If you don't see the authentication in ClearPass after the user presses the login button from the ClearPass Guest page, then there is a good chance that your IOS device can't reach/connect/find the login page on the controller (on fqdn that is installed on the controller). I would try to do a datapath packet capture and see what traffic the device is sending; should be DNS request for the controller cert, then controller should return with it's own IP, client should connect on port 443, do SSL negotiation, then post credentials (you can't see that as it's encrypted). Probably support will go through these same steps with you.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 19, 2024 09:08 AM
From: parentch
Subject: Captive Portal issues for Apple iOS devices.
Hi Herman,
I actually don't see anything in ClearPass when the user clicks the Log In button. I see the original mac auth when they first connect which pushes back the redirect policy. It's really odd. Any other type of device, Android phone, Windows laptop, etc. works fine on the same AOS 8 AP, Controller, ClearPass, etc...
We have a mixed Enviromint right now. Some of our locations are on Aruba Central with AOS 10 and we cannot replicate the issue at those locations. We did replace the redirect cert about 3 weeks ago (sectigo cert) but we didn't see the issue till just a few days ago. And that same exact cert is used on the aos 8 controllers and aos 10 central sites.
I have a case opened on it.
Original Message:
Sent: Aug 19, 2024 08:29 AM
From: Herman Robers
Subject: Captive Portal issues for Apple iOS devices.
Please work with TAC, I heard some more issues with Apple devices recently, so they may know what is going on.
In access tracker, do you see the actual authentication happen (controller authenticating to ClearPass)? Does that process differ between these IOS devices and a Windows or Android that does work?
The issue feels like a certificate problem, more specific the captive-portal certificate installed on the controllers. Is that from a well-known public CA? Has the certificate been correctly 'chained' with intermediate CAs, before importing it into the controller?
You mention that it only happens on locations with AOS8 controllers. Do you have other locations where the portal authentication does work? What type of equipment is used in those locations?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 15, 2024 01:27 PM
From: parentch
Subject: Captive Portal issues for Apple iOS devices.
Hi Everyone,
I'm suspecting this is an issue with Apple devices themselves. But the last few days, we had a large number of users report that they cannot accept the "Terms of Use" captive portal page on our Guest Network. The page appears, but when the user clicks "Log in".. they get dumped back to the login screen. (See attached video). This works fine with Android and Windows devices. (And worked fine with apple devices before).
These are the symptoms:
- Only impacting Apple iOS devices. Possibly newer and updated devices? Still trying to find a correlation.
- Only impacting locations that have AOS 8 based controllers.
- Not impacting sites that have centrally managed access points.
- Tested with multiple windows PCs, multiple Android devices. No issues.
- No changes were made that we know of that would cause this.
I currently have a rule in ClearPass that is bypassing the captive portal page for Apple iOS. Wondering if you have seen this? Anyone have any thoughts?