Bypass Apple CNA feature

  • 1
  • Question
  • Updated 7 months ago
  • Answered
Hello, I would like to know exacly how the 'Bypass Apple CNA feature' works i.e does it simply add the Apple Internet connectivity test URLs to a walled garden list ?
Currently I have a Hotspot service with a walled garden list of Android CNA test URLs to prevent mini / pseudo browsers taking control on Andoid devices.
Does the 'Bypass Apple CNA feature' mean that I do not need to manually add the Apple URL's to this Hotspot walled garden list ?
If so, why does Zonedirector not have an 'Android bypass CNA' feature ?
Thank you.
Photo of philip francis

philip francis

  • 57 Posts
  • 0 Reply Likes

Posted 7 months ago

  • 1
Photo of Charles Sprickman

Charles Sprickman

  • 31 Posts
  • 10 Reply Likes
I'm also really curious as to what the use case is on the Apple side?  I generally find that letting the device pop-up a window to gain access to a guest SSID is the most user-friendly method as it doesn't steer them into a slew of SSL/TLS errors...
Photo of philip francis

philip francis

  • 57 Posts
  • 0 Reply Likes
Hello Charles, the purpose is because the mini / pseduo browser that Apple opens when it cannot detect an Internet connection is limited in functionality and will fail if you use a ZoneDirector hotspot that requires redirects etc. Aso they do not support HTML, HTML5, PHP or other embedded video.

My question was not about the use case of Apple CNA bypass, so I still need an answer from someone as to my original question :) Thanks kindly.
Photo of Charles Sprickman

Charles Sprickman

  • 30 Posts
  • 10 Reply Likes
Redirects seem to work for us...

Anyhow, I was hoping to understand it so that if you post a feature request, I could hop on as a second. I'm all for adding useful stuff, and it could be something I need in the future (CNA bypass on Android, Windows, whatever).
Photo of philip francis

philip francis

  • 57 Posts
  • 0 Reply Likes
Hello any response to my original question - perhaps from the Ruckus team ?
(Edited)
Photo of Michael Brado

Michael Brado, Official Rep

  • 3079 Posts
  • 443 Reply Likes
Yes, you can find information about Apple "Captive Network Assistant", that they invented, so not Android/Windows compatible, but maybe workarounds exist for similar function.

KBA-2368:  When should I bypass CNA feature sometimes?
https://support.ruckuswireless.com/articles/000002368


KBA-4638:  Apple devices fail redirect using HTTPS URL in browser
https://support.ruckuswireless.com/articles/000004638

These "smart" phones try to access their company sites to determine if they have Internet connectivity.
The Guest Access and HotSpot WLANs are designed to redirect users to login/Terms&Condition pages
when they open a browser with a homepage URL that is reachable.  CNA breaks this procedure.

You might try "whitelisting" the following sites as a sort of Android/Windows "CNA" type workaround.This list is likely to keep changing too.

To avoid captive network assistants white list the following... 
 
gsp1.apple.com
www.apple.com
apple.com
www.appleiphonecell.com
*.apple.com
www.itools.info
www.ibook.info
www.airport.us
www.thinkdifferent.us
*.apple.com.edgekey.net
*.akamaiedge.net
*.akamaitechnologies.com
ipv6.msftncsi.com
ipv6.msftncsi.com.edgesuite.net
www.msftncsi.com
www.msftncsi.com.edgesuite.net
teredo.ipv6.microsoft.com
teredo.ipv6.microsoft.com.nsatc.net
clients3.google.com
captive.apple.com
 
For Google Play and Amazon Market access to download app
DNS Zones:
Google Play
 
Android.clients.google.com
Android.l.google.com
Ggpht.com
Photos-ugc.l.google.com
 
Amazon App Store
 
Mst-ext.amazon.com
Mas-ext.amazon.com
Images-amazon.com
Amzadsi-a.akamaihd.net
 
Not sure if this next one is needed for this
Dig0kk115kms0.cloudfront.net
 
IP Subnets;  (allow http/https)
Google Play
 
74.125.228.0/24
173.194.7.0/24
173.194.43.0/24
173.194.53.0/24
208.117.224.0/19
208.117.254.0/24
216.12.120.0/24
172.217.0.0/16
239.58.0.0/16
 
Amazon App Store
72.21.0.0/16
184.84.227.3/32 [host]
207.171.162.142/32 [host]
216.137.33.0/24