Guest Access via Captive Portal - problem with page not always appearing

cenders · ‎01-29-2015

I have set up a guest wifi network with an access point on an ethernet port of the PAN firewall. The guest wifi network is unsecured. I am using a web-form to ensure the guests see our logo, terms, and type in the correct password to proceed.

The setup works most of the time. On occasion when using this setup via an Apple iOS device (iPhone, iPad) I don't get the portal page and instead receive an error on the idevice, "Hotspot login cannot open the page because the network connection was lost". I can then only press cancel and it disconnects me from that wifi network. If I hit cancel and try again, the same problem appears. When hitting cancel on this the second time, I get presented with "use without internet or use other network". Now if I click use without internet, and then open Safari and a website I do indeed get the captive portal.

I do not have this problem on any non iOS device (windows laptop, etc).

So, why sometimes does this happen to me? It is not always repeatable on an iOS device. I believe this is because the apple device is trying to initially open an HTTPS page. Does that require me to enable SSL decryption?

hshah · ‎01-30-2015

Hi Cenders,

Sorry about that, please find the solution which I wanted to provide. Let me know if this helps.

"The way to get this to work is to whitelist the Apple URLs meaning exclude the list of Apple URLs that the iPad needs to connect to, from the CP policy

That the ipad can reach its apple specific urls and the user's ipad can work

For other websites, the user's will still have to rely on traditional CP

The way Cisco / Aruba / etc address this through their WLAN authentication is not currently supported in PAN"

Regards,

Hardik Shah

cenders · ‎01-30-2015

tijl,

I like the train of thought there, so I added a no-captive-portal rule in my Captive Portal policies for the CRL and OCSP URLS. Is that the only place I need to add it, or does it also need to be a security rule? I've only added it to Captive Portal policies, above my existing CP rule but no luck. For what its worth, the problem I am having is not consistent. I have an ipad that works most of the time and another one that does not most of the time.

I also can't understand why I'm not seeing something being blocked in the logs while troubleshooting this.

As I've mentioned, this problem only seems to happen after joining the wifi and the CP page auto-opens. If I cancel a few times and say "use without internet", then I can launch Safari, try an HTTP website and the captive portal correctly appears. If I try an HTTPS website initially then nothing loads.

cenders · ‎01-30-2015

If I whitelist all of Apple's "success" URLs, which will cause the device to correctly connect to the WIFI, then if the user never opens Safari (and for example opens the mail client) then I'm guessing that they won't be able to check for mail...

cenders · ‎01-30-2015

Bob, good band-aids but I'm looking for a proper solution. ie: the CP page should open correctly when joining the wifi, plain and simple.

cenders · ‎01-30-2015

I have also tried an SSL Decrypt rule for that traffic and it doesn't work.

Guest Access via Captive Portal - problem with page not always appearing

Guest Access via Captive Portal - problem with page not always appearing

Show your appreciation!