06-11-2014 09:54 AM
Our campus recently migrated to OpenDNS (paid subscription). Immediately after doing so it essentially broke our captive portal "UMASS" ssid. When we reverted back to our campus DNS servers everything worked once again.
We initially suspected the issue to be with the CP redirect URL, which does not typically resolve because it is local to the controllers. But captive portal should not get to "external" DNS, right? Isn't the mswitch magic essentially a DNS spoof; an internal DNS redirect to the captive portal page on the controller? Why would OpenDNS play a role here?
OpenDNS addresses are not configured on the controllers. Should they be? I don;t believe our campus DNS servers are configured on them either.
We received reports that non-iOS devices were affected as well. Still, some device worked. (cached DNS?).
We also wondered if Apple changed their CNA IPs and we tried to punch explicit holes but after reverting back to our campus DNS and things worked this did not seem to be the issue after all.
We also discovered that if we put the controller's IP in place of the CP URL it works.
06-11-2014 12:18 PM
Check the firewall policy on the inital role (pre-authentication). Are there any rules restricting UDP 53 traffic to internal name server IPs only?
Use dig or nslookup on a client to confirm that DNS resolution works on both internal and public name servers. DNS resolution needs to work in order for clients to get redirected to the captive portal.