Captive Portal behavior could be better

I noticed last night that one of my favorite watering holes had added a captive portal to the free WiFi.
It took me a while to figure out what was going on, though, because I tried to use Maps first. So, I had good WiFi signal strength, but nothing was happening.
It was only when I opened Safari and got redirected to a login that I figured it out.
I'm not sure what Apple could do about this to detect this. (connect to a site at apple, and pop a warning if they don't get the expected content? Would a DNS lookup be enough?)
But, if you have good signal and maps (or any of the other widgets) don't work, open Safari and take a look.

Helpful find... A real time saver for some, it seems...

Similar Messages

  • WRT54G Bridges, VPN's, Captive Portals, etc. (Advanced FAQ)

    These questions are only in relation to the above Wireless Router (v6, FW-v1.02 [2010]) :
    1. What is an Ethernet Bridge (the basic authoritative definition), and besides gaming, what are they generally used for in a business setting?
    2. What are VPN settings in a Router used for, and can a VPN be configured on a remote PC without them?
    3.  Utilizing bridging, etc., can I utilize my WRT54G as a makeshift Range Expander as long as the primary router doesnt have WEP key requirements?  The current WIFI doesnt reach my PC, so I thought I could configure my router midway in hopes of extending the other routers' signal, via some kind of bridging if necessary.  Naturally, there would only be a wireless connection between routers.
    4.  How can I setup a simple Captive Portal on this router?
    If more expedient, provide any definitive links to answer these questions, preferrably at Cisco sites.  Thanks.

    Re 1. Where did you find this? The WRT is switch not a bridge. Technically, the switch does the same as the bridge, only better. It connects two or more ethernet segments and joins them into a single ethernet network.
    Re 2. The VPN settings are used when you have VPN connections running through the router (i.e. not as endpoint). If it's possible to connect without them depends on the kind of VPN you are trying to establish. Some will work and some won't unless you have enabled the corresponding passthrough.
    3. ethernet bridging and wireless bridging are completely different things. The WRT won't connect wirelessly to other routers.
    4. You can't.

  • Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.

    Hi All,
    I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
    This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
    "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
    Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
    Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
    Any advice would be appreciated, just let me know what extra details to post if needed.
    Many thanks,
    Josh Campbell

    Hi Joshua,
    The below information could be located at
    www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
    False Captive Portal Detection
    AnyConnect can falsely assume it is in a captive portal in the following situations.
    •If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
    To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
    •If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
    If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely  blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
    There is also a bug filed for this. Just for your reference,
    CSCud17825 - Anyconnect captive portal
    Regards,
    Srikanth K S.

  • ISE captive portal timeouts and radio policy

    Hello!
    I have two questions.
    First, have some of you guys worked with the captive portal in ISE (guestportal)?
    I have set up a new wireless network for a customer and they want to use the guest portal for som users.
    The problem that I am expering is that on a particular site with many small buildings user complains that they have to reauthenticate using the webportal when moving between the buildnings.
    I have tired extending the idle user timeout on that particular wlan in the cisco 5508, but I still having this problem.
    I would actually like if the user login via the guestportal at the beginning of the work day and after say 4-5 hours they have to reautencitcate.
    And if they loose network connectivity (moving between buildings, iphone/andriod shutting down wifi adapter, etc) they shuld be fine connecting again because they have aldready authecnticated once during the last 4-5 hours.
    Is this possible via the ISE?
    My second question deals with 2.4 and 5 Ghz band.
    I use AP groups on each of my distribution areas. All groups have the same SSID but diffrenet egress interfaces (interfaces groups).
    And in some of these I want to save the 5 GHz band for voice over wlan and in others i would like to use both bands.
    Do I have to create diffrent wlan profiles with diffrent radio policys and same SSID or could I do this in the AP group settings using RF-profiles?
    Hope for some help!
    //Simon

    Your first answer  is there is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
    2nd : You can use the AP group settings using RF-profiles to achieve this task.1st: There is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
    your seconde answer : You can use the AP group settings using RF-profiles to achieve this task.

  • Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

    Requirement:
    How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
    What is Airwatch MDM?
    Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
    Solution:
    Why we need to allow access to Airwatch MDM?
    The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
    Configuration:
    Below is the configuration
    Configuration steps:
    1. Create the following netdestinations
    netdestination Airwatch
      name *.awagent.com
      name *.awmdm.com
      name air-watch.com
    netdestination Google-Play
      name android.clients.google.com
      name .ggpht.com
      name gstatic.com
      name accounts.google.com
      name clients1.google.com
      name clients2.google.com
      name clients3.google.com
      name clients4.google.com
      name i.ytimg.com
      name google-analytics.com
      name .1e100.net
      name android.l.google.com
      name mtalk.google.com
      name clients.l.google.com
      name googleapis.com
      name gvt1.com
    netdestination BlackBerry
      name *.blackberry.com
    2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
    ip access-list session Airwatch_Access
      any   alias Airwatch svc-http  permit
      any   alias Airwatch svc-https  permit
    ip access-list session Google-Play-Store
                   any   alias Google-Play any permit
    ip access-list session BlackBerry-Access
                   any   alias BlackBerry any permit
    3. Now map the session ACLs to captive-portal pre-authentication Role as follows
    user-role Guest-Pre-Auth-Role
     access-list session Airwatch_Access
     access-list session Google-Play-Store
     access-list session BlackBerry-Access
     access-list session logon-control
     access-list session captiveportal
    4. Now whitelist the list of domain names in the Captive Portal profle
    aaa authentication captive-portal Airwatch-Captive-Portal-Profile
    white-list Airwatch
    white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
    white-list BlackBerry
    Verification
    Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

    Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

  • Bug in wifi/wireless connection with captive portal in UK/London ?

    With my macbook pro (10.6.4) & iphone (iOS 4), I do not manage to have an easy connect on free wifi captive portals in London. They all are new connections (unknown networks before).
    * dhcpd lease seems to be instable. I can get wifi connection (with good wifi signal strength) but most of the time get a "non-allocated" lease like 169.254.57.x/24 without any router/dns. A few rare times, the dhcp server give a me a complete ip connection.
    * in the rare case where IP connection could established, I was not redirected to the captive portal. I had to manually enter its address (in my case <IP>:8000, you need to guess) and even after authentication, I can't browse the Internet. In one of my test, I managed to resolve dns entry but can't browse the web.
    I tried during an hour and I couldn't make it on work on my Macbook. work a small time with the iPhone.
    tested in McDo free wifi and Airbox Public Wifi of EasyHotel (Airbox system). also have problem with "Wifi Zone - The Cloud".
    ok in Starbucks and in St Pancras Free Wifi.
    Found these threads which could be related but no real solutions:
    http://discussions.apple.com/thread.jspa?messageID=11875166&#11875166
    This is probably the router's fault but I can't check this.

    Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
    I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
    Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

  • Setting UP Captive Portal ON 5508 WLC

    Dear All,
    I do know that captive portal could be setup on cisco 5508, such that internet users could login as follows:
    Username, password , login duration  etc.
    however i would like to know whether the above configuration would work with just 5508 and MS Active directory.or do we need any other device to achieve this.
    secondly can we upload a customised login web page from which users can login and gain access to the internet ?
    Jude.

    1. i would like to know whether the above configuration would work with just 5508 and MS Active directory
    Yes, you would need to configure an LDAP server on the WLC pointed to your MS AD, binding properly.  Then, make sure your L3 authentication priority is configured to query LDAP first.  This works pretty well in a L3 web-auth scenario, but is limited when using LOCAL EAP
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
    2. can we upload a customised login web page from which users can login and gain access to the internet ?
    Yes; start by downloading the webauth_bundle.zip for your respective release/platform. 
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1049404

  • Bug - mobile configs in wifi captive portal state

    The default behavior for installing mobile config files is to redirect the user back to the webpage they were on upon installation.  However, in the captive portal state, it directs the user back to the profile page in the settings menu, it should go back to the psuedo browser.  I believe this is a bug and not a security feature.

    The file found here is the communication between this captive portal and Mozilla Firefox as confirmed working, taken using Wireshark. Probably the Pre browser interprets the javascript code incorrectly.

  • Auto pop-up for wispr in any captive portal won't work anymore

    Hi all,
    I really like the captive portal function. I am often at Starbucks, and I like the easy way to accept the user agreement.
    But, since some weeks, the auto pop-up to see the captive portal won't show ... neither Starbucks nor somewhere else!
    At Starbucks ....
    1. I tried to delete the btopenzone WiFi (the provider for Starbucks free WiFi) but nothing changed.
    2. I tried to set up another networking zone, won't help either.
    3. I searched the web, but all I could see is, that there is not really a way to disable it (but changing the website in plist somewhere).... 
    4. I  tried to find a way to just disable or enable it... but was not lucky
    Hope anyone can help me, cause I really like the feature.
    Thanks...
    Michael.

    Hi DelBaero,
    So, it sounds like push notifications are working intermittently. Take a look at the article linked below, not only does it give insight into how notifications work, it also provides some troubleshooting tips that should help.
    iOS: Understanding notifications
    http://support.apple.com/kb/ht3576
    Troubleshooting notifications
    Push notifications require an active Wi-Fi or cellular connection.
    Note: Notifications use Wi-Fi only when a cellular connection is unavailable. Firewalls and proxy servers may affect your ability to receive notifications. For more information, see Unable to use Apple Push Notification service (APNs).
    If you're not receiving notifications for a specific app, try these steps:
    Verify that the app supports notifications.
    After installing an app or restoring a backup to a different iOS device, open the app to begin receiving notifications. If the app requires entering or logging in to an account, you will need to do this before receiving notifications.
    Check Settings > Notification Center to ensure that the app is configured for notifications. If notifications do not appear in the Notification Center, verify that the Notification Center setting for the app is enabled.
    -Jason

  • OCSP through captive portal

    Hi All,
    We recently applied a 3rd party SSL certificate to our 5508 (running 7.0.220.0) to be used for guest web authentication. It's working, however Mac clients are getting invalid certificate messages. This seems to be due to Mac’s default behavior to use OCSP to validate certificates.. Disabling OCSP via the Keychain causes the cert error to go away. I’m wondering if there is any WLC setting that allows OCSP through the captive portal. Thanks for your assistance.
    -Pete

    Pete,
    I have good experience with WLC and I never heard anything about configuring WLC to support OSCP.
    IMHO the issue with the client not with WLC. If you debug traffic (or capture packets) you will probably find that the Mac device is the party that stops responding (or responds with reject) at some point.
    You need to look at the Mac side to be compatible with WLC not the other way.
    Amjad
    Sent from Cisco Technical Support iPad App

  • Restric Access to Captive Portal after successfull authentication

    I have setup a WAP321 with the captive portal activated.
    2 WLAN networks defined, one for the Normal-user and 1 Guest-user access (with captive portal).
    The WAP Management is on its own vlan (vlan 1 ) , network 10.0.0.0 /24
    The Normal network has a different vlan (vlan 14) , network 192.168.14.0/24
    Guest user(s) are on VLAN143 , 172.16.10.0 /24
    So when a guest connects to the wap, the management interface is openend (10.0.0.x), after successfull authentication the user is redirected to a predefined site.
    What i would like to establish is to make it impossible for the Guest-user(s) to access the management portal.
    Defining an acl on the management portal is not possible as i would like to use any ip adres on the Normal Network (192.168.14.0/24).
    unfortunally you can only define 5 Fixed ipaddresses and not a (sub)-network.
    regards
    eddy

    Good morning  Mr. Mulder,
    It it possible to set and access-list on your WAP321 that restrict access from users on the complete network 172.16.10.0/24.
    Let me share with you the information found on guide me section on this forum about this topic.
    I encourage you to make use of this useful tool if you have any other question about configuration on the future.
    http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=c1a32843a14846af8c20a91532c39d16_acl.xml&pid=4&fcid=&fpid=&slnid=6
    Check the section 6, where you could set the configuration using the network 172.16.10.0/24 as source address and 10.0.0.0 /24 as destination.
    hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
    Thank you
    Diego Rodriguez.
    Cisco network engineer

  • How to permit Google play store access for captive portal guest users?

    Introduction : There could be occasions when we need to permit Google play store access for guest users, A common example could be a hotel environment where unauthenticated users are allowed to access the hotel website and directed to Google play store to download their Apps.
    Environment : This article applies to all controller models and AOS versions 6.1.3.x and higher.
    Configuration Steps :
    The Google Play app store (play.google.com) is a cloud service, and the addresses it uses may change regularly. This presents a challenge to permit access to those ranges. The current solution is to permit these addresses that are known to be used by the Android Marketplace, as shown here:
    .ggpht.com
    android.clients.google.com
    play.google.com
    The configuration is about creating an alias with the above URL’s and a firewall policy where you can permit traffic to the alias.
    Step 1: Create an Alias
    (Aruba3200XM) #configure t
    (Aruba3200XM) (config) #netdestination Google-Play
    (Aruba3200XM) (config-dest) #name android.clients.google.com
    (Aruba3200XM) (config-dest) #name *.ggpht.com
    (Aruba3200XM) (config-dest) #name play.google.com  
     Step 2: Create the session-based access list.
    (Aruba3200XM) (config) #ip access-list session google-play
    (Aruba3200XM) (config-sess-google-play)#user alias Google-Play any permit
    Step 3: Assign the session-based access list to the guest captive portal pre-auth user role.
    (Aruba3200XM) (config) #user-role guest-logon
    (Aruba3200XM) (config-role) #session-acl google-play position 3
    Verification :
    (Aruba3200XM) #show netdestination
    Name: Google-Play
    Position  Type  IP addr   Mask-Len/Range
    1         name  0.0.0.1   android.clients.google.com
    2         name  0.0.0.2   *.ggpht.com
    3         name  0.0.0.3   play.google.com
    (Aruba3200) #show rights guest-logon
    Derived Role = 'guest-logon'
     Up BW:No Limit   Down BW:No Limit
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 6/0
     Max Sessions = 65535
     Captive Portal profile = default
    access-list List
    Position  Name              Type     Location
    1         ra-guard          session
    2         logon-control     session
    3         google-play       session
    4         captiveportal     session
    5         v6-logon-control  session
    6         captiveportal6    session
    google-play
    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    1         user    Google-Play  any      permit                           Low                                                           4
    Troubleshooting :
    Make sure ip name-server, ip domain-name and ip domain lookup are configured on the controller.
    Also you must have a PEFNG license to configure or view a destination.

    Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

  • ISA500 Series - Captive Portal

    Hi,
    Is there anyone who have the Captive Portal working properly with a FQDN approved certificate ? I have already installed a approved certifiacte but each time the client is redirected to the Captive Portal default ip address on the ISA router used. Is there any option where it will redirect to a FQDN example the host and domain name of the router - insted of the routers ip adress ?
    Regards
    Tonni

    Hi Tonni, thank you for using our forum, my name is Luis I am part of the Small business Support community. I apologize for your inconvenience, in this case I found an article and I thought that could be helpful in order to configure your Captive Portal.
    http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3458
    I hope you find this answer useful
    Greetings,
    Luis Arias.
    Cisco Network Support Engineer.

  • WAP-321, Captive Portal and Wi-FI repeaters

    Hi,
    So I am currently deploying a Wi-Fi Network based around Cisco WAP-321. I use the CP function with a Radius server to authentify my users. So far so good, when a user connect to one of the AP and uses his credentials, he can login and access Internet without any trouble. But I also use some Wi-Fi repeaters (Netgear WN-1000RP) to extend the range of my wireless network in places I can't install an AP. The repeaters effectively extends the range of my network, and I can connect on them without any trouble when the CP is turned off. However, when I turn on the CP, I access the login web page and enter my credentials, but no matter what, I can't login while connected on the repeater. After some research, it looks like I have to manually enter the MAC address in the MAC trough list of the AP. Except such a feature doesn't seem to exist on the WAP-321. I have tried using WDS bridge and Workgroup bridge, but without success, since I think it's only compatible with WAP-321 and WAP-121 devices.
    So I am kind of running out of ideas to make this work, and I would be very grateful if someone could help me out.
    Thanks in advance, do not hesitate to ask me for more informations if needed.

    My name Eric Moyers. I am an Engineer in the Small Business Support Center.
    I am sorry to hear that you are experiencing this issue. 
    While what I am fixing to share is not in any way a great solution, It can be utilized as a workaround.
    With the WAP321, after trying a few different scenarios that didn’t work. I simply created two vlans, leave the Untagged vlan as main vlan and changed the Management vlan to the second. I then attached the guest SSID to the Management VLAN. This allowed me to authenticate to my guest captive portal and get an IP and get out to the internet. The Main SSID still worked normally.
    Now for some caveats:
    Problem: If a wireless client knows the IP of the WAP and the username and password they could get into the WAP.
    Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
    Problem: Management of the WAP321 can only be from an IP on the Management VLAN. (In my case 2)
    Solution: Setup Management Access Control to an IP outside the DHCP scope for that VLAN and have a Strong Password.
    Not the very best solution, but the only workaround I can come up with for now.
    Eric Moyers
    .:|:.:|:. CISCO | Cisco Presales Technical Support | Wireless Subject Matter Expert
    Please rate helpful Posts and Let others know when your Question has been answered.

  • Automatic disconnection from AP when timed out (session or authentication) from captive portal

    Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?

    There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration  Portal Profiles  Local User  Local Group  Web Customization  Profile Association  Client Information

Maybe you are looking for