02-17-2015 01:30 PM - edited 02-17-2015 01:41 PM
I've encountered an interesting behavior that apparently has existed for some Android devices since 4.3 (Jelly Bean). The issue is that some handsets, such as a Samsung Galaxy S5 from Verizon with stock ROM and Android 4.4 KitKat, will disconnect from an SSID if it is behind a captive portal for more than two minutes.
This introduces a significant complication in our ClearPass Onboard process, in which we are using the guest SSID to allow employees to Onboard. The use must connect, launch a browser, hit the captive portal, follow the link to Onboard, pass through our SSO provider (which uses dual factor authentication, making the process even longer), and obtain the certificates and network profile from the QuickConnect app within 2 minutes lest the client automatically disconnects.
I was wondering if anyone knows of anyway of tricking the device to think it is not behind a captive portal. This only seems to affect some handsets; a Samsung Galaxy S3 from Virgin Mobile running stock ROM and Android 4.4 (KitKat) did not experience the problem.
We are open to most suggestions, however one requirement from our security team is that we don't use PEAP for authentication, thus single-SSID Onboarding is not an option. Additinally, we are already using the "landing.php" workaround and have some sites whitelisted on the captive portal profile (adding more is an option if that might fix it).
Obviously this is also a problem for guests who self-register for a guest account.
We are running AOS 6.4.2.x and ClearPass 6.4.x.
Thanks for any suggestions,
Solved! Go to Solution.
02-17-2015 01:38 PM
This will prevent the captive network assistant from popping up but will allow the browser to continue to pass traffic.
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |