Wireless Access

 View Only

  • 1.  how to manage CNA issues

    Posted Aug 23, 2021 06:24 AM
    greetings,

    I've seen a lot of posts about CNA(captive network assistant) concerns and it varies depending on setup. 

    I have installed a public signed https ssl on my clearpass server with correct fqdn,dns etc. I was able to test Wireless Guest Services with self-reg working smoothly using win7&10.

    however, I read somewhere that android devices automatically reaches some domain outside  the network once connected to SSID then triggers CNA pop up.I tried to do the self-reg on CNA instead of mobile browser but I sometimes get portal loops and connectivitycheck.gstatic.com issues and frequent hsts error on chrome browser.

    i realized in production that typical guest users tends to self reg using their CNA. 

    i'm currently using:
    cppm 6.9.1
    AOS 8.7

    also added whitelist on l3 auth portal
    alias onboardgoogleplay ( yes i have link for onboarding on my portal)

    name android.clients.google.com
    name *googleapis.com
    name *gvt1.com
    name *ggpht.com
    name *googleusercontent.com
    name *gstatic.com
    name clients.l.google.com
    name connectivitycheck.gstatic.com
    name www.google.c om

    alias bypassCNA
    name connectivtycheck.android.com
    name msftconnecttest.com
    name *msftconnecttest.com





    May I ask what's the recommended config or practice for this?

    TIA :)

    ------------------------------
    Harvey Ysip
    ------------------------------


  • 2.  RE: how to manage CNA issues

    Posted Aug 24, 2021 09:43 AM
    Most OSses will check a 'known url' to detect if a Captive Portal is in place. I believe Android is using the connectivitycheck.android.com, Windows devices use msftconnecttest.com, and Apple uses http://www.apple.com/library/test/success.html.

    If you see certificate warnings, it is important to understand the flow, and what the client is trying to do. Also, if you are using CNA bypass, it is expected that if users try to go to google/facebook/etc that an HSTS error shows up if you are redirecting HTTPS traffic as well (my personal recommendation is to only redirect port 80 or HTTP, but I know most of the examples redirect HTTPS as well which is technically not possible).

    The best practice is to only do CNA-bypass for Onboarding; but you can achieve the same by using the guest portal with a 'known login' to switch to a non-CNA browser before you start Onboard. Onboard will not work from the CNA as those browsers lockdown for security reasons a lot of features that may modify settings, which exactly is what Onboard is expected to do.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content