Captive portal NAC + Apple Devices OSX

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
Hi there,

we've been setting up a wireless lan solution with NAC + a couple of identify controllers.
At the moment we're fine tunning the guest network.

I'm running the latest NAC appliance software and version 9.21.04 on the controllers (5110 + v2110).

Right now I'm concerned with two different problems:

1 - Whenever I try to connect an Apple OSX device, it pops up an error: 

If I ignore the error and go straight to the browser and open a random page then the portal appears and I can register a device. After the registration is successful I end up in problem #2.

2 - On all Apple devices, after the registration is successful the device never renews the IP address and the eventually an error in the portal is displayed. If I manually reconnect to the network than it gets the correct IP address.

Any suggestion?

Best Regards,

Tiago
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,132 Points 20k badge 2x thumb
Hi,

#1 - not sure whether that is the problem but is "apple.com" removed from the allowed domains.
GUI NAC Manager, Portal Configuration > Network Settings > Allowed Websites > Allowed Domains > remove apple.com

#2 - why does the client need a new IP ?
Is the guest role in another VLAN/subnet. If yes set the DHCP lease in the nonauth Guest VLAN very low so that the client does a renew very often till the client get's the guest role and is in the authenicated-guest VLAN.


I handle it in another way and use the 2nd NIC of the NAC for guest portal access.
I configure the 2nd NIC in the guest VLAN so the client doesn't need to change the VLAN/subnet/IP.

-Ron
(Edited)
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hi Ron,

I removed apple.com as suggested. It still pops up to all Apple IOS devices (great!) but on OSX machines the popup stopped showing. If I open a browser then I'm correctly redirected and the registration can be then concluded.

I need to change the IP because of several reasons. One of them is that the guest network is actually a topology group comprised of several different balanced networks, another is that I'm also using the captive portal to do registered guest authentication (for BYOD).
Anyway your suggestion to set the DHCP lease to a low value seams to work great. I've set the lease to 45 seconds, but I think I'll tune this value in the future. I don't know how the DHCP server will handle the additional load when I go live with the solution.

I think the solution as it is right now is working as expected, except for the non-existent popup in OSX. Is it possible to have it? I added the "apple.com" again and verified that the popup returns... Can't figure out why it says "A problem occurred"...

Thanks for you answer!

BR

Tiago
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Issue #1: When I do the captive portal (Especially in an environment with apple) I use a DNS named redirect. Instead of using https://1.1.1.1/redirect I use http://GuestAccess.myco.com (you will need to make an "A" record for this). I also make sure that I allow port 53 TCP for the secured DNS hijack. This resolves the issues I have had with Apple redirects.

Issue #2: Are you using NAC to change the Policy to a different VLAN? if so, you would need to make the Unregistered VLAN DHCP lease time very short (30 - 45 seconds). This will allow the iOS Devices with sticky leases to renew without any major issues.

Please let us know if this helps. If not, also let us know so that we can further assist you :)
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hi Joseph,

I cannot understand what you mean on #1. Are you referring to Extreme's NAC appliance or a different product?

#2 DHCP changes have indeed solved the problem ;) Thanks for your input!

What I would like to see now is the Captive Portal (NAC) popping up in a OSX El Capitan.
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
This is on Extreme Networks Controller and NAC. The external redirect is configured on the Controller. VNS > WLAN Services > <WLAN> > Auth & Acct.


In the redirection URL, I have placed a DNS entry for my NAC appliance. I have an "A" record to point at my NAC appliance. Also int our controller we allow Port 53 TCP for HTTPS/DNS highjacking to assist with the redirect. This has helped us with our redirects tremendously on Apple devices. This has also worked with the latest iOS and OSX
(Edited)
Photo of James A

James A, Embassador

  • 6,510 Points 5k badge 2x thumb
Oh, is this how to use the NAC portal without policy routing on DSCP? That's very useful to know as I'm about to switch to a firewall that's missing that capability. Well, I did ask about it during evaluation, but it can only do it in combination with SNAT which then wouldn't work for the NAC portal.
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Yes! I have to do this via Firewalled interfaces lots. So if you setup the DNS redirect like this, Allow your NAC and DNS (internal DNS and only DNS) then this kicks a portal page without issue. I do it this way every time. Not all of my clients have equipment that have DSCP or PBR capabilities. So this is my resolution to that problem.
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hi!

I've set up the "A" record and the EWC. For now I would say that the only difference is the looks. I really like to have a DNS name instead of an IP. So thanks for the advice!

I haven't been able to make the OSX popup work yet, not even with the DNS name. It still shows the same window I posted on my first post.

Oh, and for the popup to show I have to configure the "apple.com" domain in the allowed domains. If not it doesn't even kick-in.

Tiago
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
I am very happy to have suggested that to you! I forgot one step in my Mac deployments. Ill post it in another comment :)
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
I forgot to mention, to enable the auto Login under VNS > Global > Client Autologin



This should help with that. Sorry I forgot to add that above
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
That's already enabled. It works for iDevices, Android Phones, Windows PCs... It doesn't work on MAC OSX (at least version 10 El Capitan). The popup shows, but with the error on the screenshot on post #1. 
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Is there anyway that you could post your "Unregistered" Policy rules?
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
No problem...

The first two blurred IPs are the IP Addresses of the remediation network on each controller, and the third one is the IP address of the NAC Appliance.
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
One thing that I have ran into is that with OSX, for some reason, you have to allow a DHCP client and DHCP server. It looks to be you have let the server through but not the client or am I reading this wrong?
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hello,

just a few updates...

The popup now shows even if the "apple.com" allowed domain is removed. The problem is that it still pops up with the error.

I've added a policy for allowing DHCP Client, but it didn't solve the pop up issue.

I'm thinking of involving TAC on this on. I'll let you know how it goes!

Thanks!

Tiago
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Please do, I have tested with an OSX 10 machine that I have here and I cannot replicate what you have going on. One last question if I may, When that device is connected, can it resolve apple.com if you try to ping it? I do not expect you to get a ping response, but rather just resolve the address.

If it does not resolve the IP, the we have a DNS issue and that will cause your problems you are seeing
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Were you able to get the issue resolved? If not, let us know so we can assist your further :)
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hi there,
So I've opened a TAC case, and with them we found out a few things not Captive Portal related... It appears a OSX specific issue (and not on all machines). My MacBook doesn't register the DNS server IP address while the popup is opened. I've tried going to terminal and the file /etc/resolv.conf doesn't even exist... doing an nslookup reveals a server pointing to localhost... After closing the popup, resolv.conf appears instantly and opening a browser allow for quick access to the captive portal. I've seen other MacBooks connecting using the popup without any issue, so I'm assuming it's a restricted issue.
I've also found a post in another forum with a similar problem...
http://apple.stackexchange.com/questions/170591/wi-fi-through-captive-portal-does-not-connect

Best Regards,

Tiago Molinos
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Curious, What is doing DHCP for these devices? Is it the controller or a separate DHCP server? I have seen this issue when the DNS Suffix is not added with the DHCP lease.
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hello, the suffix is added but the problem remain. Still only on my machine so no real problem now...
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Well, we've started broadcasting our guest network today. It has both Guest Registration and Authenticated Registration.
The Guest Registration has email validation witch is why I'm writing this post. In my iPhone I get the popup, register the equipment and the it ask me for the validation pin. I have to press the home button and open my email client. There I can find the pin.
When I choose the WiFi network I get to the portal again and go straight to the validation page. I insert the pin and get a error stating that I need a valid pin. Cannot access.
If I check the pin in another device wile having the popup opened than it works. It seems that when I close the portal, the pin looses it's validity, but the NAC retains the authentication state?!?

Anyone?
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Im assuming you mean on an iOS device. What if you were to double press the home button to select the background process. Does it still fail then?
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Well at least with IOS 9.2 double clicking the home button accesses the background processes but still closes the portal. I've upgraded the Nac and netsight yesterday to solve the Windows 10 issues (it solved them) so I'm wondering if this was introduced in the upgrade. I'm pretty sure I had this tested before. I don't really like to validate via email address because it implies the guest has a data plan to check his email.

In a side question do you know if it's possible to disable the popup only on IOS devices? Right now I only know how to disable it globally in the EWC configuration...
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
That is a global only setting. Sorry
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
I've opened a TAC case. I think the solution loses a lot of functionality by disabling the automatic captive portal detection.
With the automatic popup disabled all goes as expected.
Nowadays a normal smartphone user will open apps instead of a web browser. So no access until the web browser is opened...