Security

Anyone doing mac-auth with an open SSID on a CiSCO WLC with a captive portal on Mac failure. We have a Cisco WLC.

We can get mac-auth working and authentication with the local web auth service but when we combine both so we have mac filter with a web policy on Mac failure. It doesn't work well on iOS devices. Windows pcs work okay but iPads and iPhones are not user friendly.

All works well on aruba controller.

Thanks

IOS devices behave differently for the captive portal authentication after you upgrade to IOS 6.0.  they will try communicating to apple.com and will expect a message "success" over html. 

 

MY 2 cents :)

 

But if its something thats not working in Cisco WLC, i recomend to contact CISCO tac. 

 

I sent you a PM but thought I'd post here for others as well.

 

vkumaar is correct, they try to do a lookup on www.apple.com, but I'm blocking Web Traffic to anything except my CP-Guest Server, so I believe its simply a DNS lookup and ICMP response to the clients.  You can do a couple things, you can add an IP Address for Apple's Website into your Pre-Authentication ACL, or, My suggestion, would be to add the following lines to the same ACL:

 

 

Doing this took care of all my Captive Portal Apple issues. 

I know, with the old Amigopod, you could add a "/landing.php?/" to the front of your registration page link, and it would Bypass the Apple portion of the captive portal.  I have not tried it lately so I do not know if that is still being used with the newer versions of Clearpass Guest.  When I move to Clearpass 6.2 in the coming months, I might look at it again.  Any developers know for sure if this still is the case with CP 6.2 and up?