Skip to main content

66 Messages

 • 

1.2K Points

Thu, May 16, 2019 8:51 PM

Answered

Bypass Apple CNA feature

Hello, I would like to know exacly how the 'Bypass Apple CNA feature' works i.e does it simply add the Apple Internet connectivity test URLs to a walled garden list ?
Currently I have a Hotspot service with a walled garden list of Android CNA test URLs to prevent mini / pseudo browsers taking control on Andoid devices.
Does the 'Bypass Apple CNA feature' mean that I do not need to manually add the Apple URL's to this Hotspot walled garden list ?
If so, why does Zonedirector not have an 'Android bypass CNA' feature ?
Thank you.

Responses

32 Messages

 • 

590 Points

2 years ago

I'm also really curious as to what the use case is on the Apple side?  I generally find that letting the device pop-up a window to gain access to a guest SSID is the most user-friendly method as it doesn't steer them into a slew of SSL/TLS errors...

66 Messages

 • 

1.2K Points

2 years ago

Hello Charles, the purpose is because the mini / pseduo browser that Apple opens when it cannot detect an Internet connection is limited in functionality and will fail if you use a ZoneDirector hotspot that requires redirects etc. Aso they do not support HTML, HTML5, PHP or other embedded video.

My question was not about the use case of Apple CNA bypass, so I still need an answer from someone as to my original question :) Thanks kindly.

32 Messages

 • 

590 Points

Redirects seem to work for us...

Anyhow, I was hoping to understand it so that if you post a feature request, I could hop on as a second. I'm all for adding useful stuff, and it could be something I need in the future (CNA bypass on Android, Windows, whatever).

66 Messages

 • 

1.2K Points

2 years ago

Hello any response to my original question - perhaps from the Ruckus team ?
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

2 years ago

Yes, you can find information about Apple "Captive Network Assistant", that they invented, so not Android/Windows compatible, but maybe workarounds exist for similar function.

KBA-2368:  When should I bypass CNA feature sometimes?
https://support.ruckuswireless.com/articles/000002368


KBA-4638:  Apple devices fail redirect using HTTPS URL in browser
https://support.ruckuswireless.com/articles/000004638

These "smart" phones try to access their company sites to determine if they have Internet connectivity.
The Guest Access and HotSpot WLANs are designed to redirect users to login/Terms&Condition pages
when they open a browser with a homepage URL that is reachable.  CNA breaks this procedure.

You might try "whitelisting" the following sites as a sort of Android/Windows "CNA" type workaround.This list is likely to keep changing too.

To avoid captive network assistants white list the following... 
 
gsp1.apple.com
www.apple.com
apple.com
www.appleiphonecell.com
*.apple.com
www.itools.info
www.ibook.info
www.airport.us
www.thinkdifferent.us
*.apple.com.edgekey.net
*.akamaiedge.net
*.akamaitechnologies.com
ipv6.msftncsi.com
ipv6.msftncsi.com.edgesuite.net
www.msftncsi.com
www.msftncsi.com.edgesuite.net
teredo.ipv6.microsoft.com
teredo.ipv6.microsoft.com.nsatc.net
clients3.google.com
captive.apple.com
 
For Google Play and Amazon Market access to download app
DNS Zones:
Google Play
 
Android.clients.google.com
Android.l.google.com
Ggpht.com
Photos-ugc.l.google.com
 
Amazon App Store
 
Mst-ext.amazon.com
Mas-ext.amazon.com
Images-amazon.com
Amzadsi-a.akamaihd.net
 
Not sure if this next one is needed for this
Dig0kk115kms0.cloudfront.net
 
IP Subnets;  (allow http/https)
Google Play
 
74.125.228.0/24
173.194.7.0/24
173.194.43.0/24
173.194.53.0/24
208.117.224.0/19
208.117.254.0/24
216.12.120.0/24
172.217.0.0/16
239.58.0.0/16
 
Amazon App Store
72.21.0.0/16
184.84.227.3/32 [host]
207.171.162.142/32 [host]
216.137.33.0/24