Using IAP, is it possible to have a guest network that uses mac auth, without requiring users to interact with a portal when connecting? The goal here is to replicate the configuration of our old WiFi solution so that users won't have to enter new information into their devices or do anything differently.
WLAN "Secure" clients are assigned to VLAN1. There is a single PSK for this WLAN. This is for company-owned devices.
WLAN "Insecure" clients are assigned to VLAN2. There is a different PSK for this WLAN. This is for BYOD.
In addition to the PSK, each WLAN has a set of MACs that are allowed to associate with it. (It would be okay for Secure clients to access the Insecure WLAN, but it would not be acceptable for Insecure clients to access the Secure WLAN. This needs to be enforced at the MAC level since all employees have access to the PSKs. Yes, I am aware that MAC-based filtering isn't the greatest, but it's what I need to have right now.)
So far I've created MAC-based accounts in the internal AAA server for the Secure clients (defined as type "Employee" in the GUI, "radius" in the CLI) and for the Insecure clients ("Guest"/"radius"). Then I created a WLAN of type "Employee" with MAC auth. This is fine--it only allows the Secure clients to associate.
But when I create a WLAN of type "Guest" for the Insecure clients, I have to choose one of the captive portal options before I can select MAC-auth.
In the CLI it's possible to have the necessary combination of options, e.g.
wlan ssid-profile "Insecure"
index 1
type guest
essid "Insecure"
wpa-passphrase REDACTED
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 10
auth-server InternalServer
rf-band all
captive-portal disable
mac-authentication
[...]
But I haven't tested whether this works. I'm also concerned that the config could be overwritten by the web admin interface.
Any advice? Would it be possible to create a "dummy" external captive portal config?
Failing that, how can I get the best performance in a simple "Acknowledged" captive portal? What I'm seeing right now is just as bad as what I often get in public free WiFi locations--it takes forever for an iOS device to display the splash page with an "Accept" button.