ISE Captive Portal & redundancy

I have a guest SSID configured in my WLC. I also have 2 ISE appliances (Primary/Secondary) that I use to do the web auth on my guest SSID.
In the config of my SSID (Security / Layer 3 / Web Policy), I selected "Web Auth Type: External" and I had to enter the URL of my ISE server. I used the primary ISE but if the primary fails, I have to manually change that URL to the secondary for web auth to continue to work. How can I automate this? Is there a way to configure a virtual IP address (like NAC CAS) for my 2 ISE?
Thanks

The best way around this is to use the central web authentication feature. So that the redirect requests are sent from the ISE node that is available and sends the av-pair to redirect the user.
Have you considered this option?
thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • ISE captive portal timeouts and radio policy

    Hello!
    I have two questions.
    First, have some of you guys worked with the captive portal in ISE (guestportal)?
    I have set up a new wireless network for a customer and they want to use the guest portal for som users.
    The problem that I am expering is that on a particular site with many small buildings user complains that they have to reauthenticate using the webportal when moving between the buildnings.
    I have tired extending the idle user timeout on that particular wlan in the cisco 5508, but I still having this problem.
    I would actually like if the user login via the guestportal at the beginning of the work day and after say 4-5 hours they have to reautencitcate.
    And if they loose network connectivity (moving between buildings, iphone/andriod shutting down wifi adapter, etc) they shuld be fine connecting again because they have aldready authecnticated once during the last 4-5 hours.
    Is this possible via the ISE?
    My second question deals with 2.4 and 5 Ghz band.
    I use AP groups on each of my distribution areas. All groups have the same SSID but diffrenet egress interfaces (interfaces groups).
    And in some of these I want to save the 5 GHz band for voice over wlan and in others i would like to use both bands.
    Do I have to create diffrent wlan profiles with diffrent radio policys and same SSID or could I do this in the AP group settings using RF-profiles?
    Hope for some help!
    //Simon

    Your first answer  is there is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
    2nd : You can use the AP group settings using RF-profiles to achieve this task.1st: There is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
    your seconde answer : You can use the AP group settings using RF-profiles to achieve this task.

  • ISE Wired captive portal

    I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
    For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

    In the same document you have
    Wired NAD Interaction for Central WebAuth
    If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
    The Central WebAuth triggered by a MAB failure flow follows these steps:
    1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
    2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
    3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
    4. The client machine connects and the NAD initiates a MAB request.
    5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
    The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
    https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
    6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
    7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
    8. The gateway URL value with action CWA redirects to the guest portal login page.
    9. The client enters the username and password and submits the login form.
    10. The guest action server authenticates the user credentials provided.
    11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
    12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
    Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
    13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
    14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
    15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
    16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

  • Is it possible to make the ISE guest server redundant ?

    Hi,
    We've an ISE cluster of two ISE nodes.
    The ISE guest server works fine on the primairy ISE node.
    MAC address of the guest client is set in the map 'GuestDevices' after accepting the AUP policy.
    The the ISE sents the COA and the client authenticates again and is punt in the guest vlan.
    But when the primairy ISE is offline, I see the guest portal AUP page on the secondairy ISE node.
    I can accept the AUP policy, and I get an error message.
    On the secondairy ISE I see that the COA to the switch is sent, to clear the session to the primairy ISE....
    But the COA request should ask to clear the session to the secondairy ISE ( the primairy ISE is offline ).
    Should it be possible to configure the ISE guest functionality redundant in an ISE cluster?
    /SB

    The Guest portal can run on a node that assumes the Policy Services persona when the primary node with Administration persona is offline. However, it has the following restrictions:
    •Self registration is not allowed
    •Device Registration is not allowed
    •The AUP is shown at every login even if first login is selected
    •Change Password is not allowed and accounts are given access with the old password.
    •Maximum Failed Login is not be enforced
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1126706

  • Automatic disconnection from AP when timed out (session or authentication) from captive portal

    Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?

    There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration  Portal Profiles  Local User  Local Group  Web Customization  Profile Association  Client Information

  • Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.

    Hi All,
    I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
    This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
    "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
    Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
    Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
    Any advice would be appreciated, just let me know what extra details to post if needed.
    Many thanks,
    Josh Campbell

    Hi Joshua,
    The below information could be located at
    www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
    False Captive Portal Detection
    AnyConnect can falsely assume it is in a captive portal in the following situations.
    •If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
    To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
    •If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
    If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely  blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
    There is also a bug filed for this. Just for your reference,
    CSCud17825 - Anyconnect captive portal
    Regards,
    Srikanth K S.

  • How to use ISE Guest Portal for AD users

    Hi there,
    As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
    Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
    Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
    Am I missing something??
    I am running WLC 5760 with ISE 1.2
    Thanks in advance..

    Hi,
    Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
    In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Laptop no longer loads Captive Portal following Windows 8.1 upgrade

    Since upgrading to Win 8.1 from Win 8, I no longer see a captive portal displayed whenever I try to connect to a wireless network that requires additional login information.  Some WiFi networks require you to click their Terms and Conditions box
    or add some additional logon information and they splash up a Captive Portal screen to allow you to enter the information.  Without entering this information I receive an IP address for my wireless adapter ok, but end up with a "Limited Internet"
    connection.  Which means I cannot connect to the Internet at all.  This exact same problem has happened to two colleagues of mine that recently upgraded to Windows 8.1 on their laptops.  Any help will be much appreciated.

    Hello Grantlsmith,
    Do you receive any error message when you connect to a wireless network that requires additional login information?
    Or you just connect to the Wi-Fi with limited Internet, and nothing pop up?
    Please take the following steps for troubleshooting:
    1. Please provide the result of the command ipconfig –all
    2. Ping the IP address of URL and check if we can contact.
    3. Type in the URL that can use in Windows 8 and check if we can open the Captive Portal
    Best regards,
    Fangzhou CHEN
    Fangzhou CHEN
    TechNet Community Support

  • Cisco ISE Guest Portal - DNS Issue - External Zone

    Hello,
    I have a customer that has the following sceanrio :
    In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
    since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
    My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
    Thank-you in advance for your replies.
    Robert C.

    Robert,
    Manual assignment has been made available in ISE 1.2 release.
    M.

  • Infoblox Captive Portal will not pass the "Accept" screen on Iphone or ipad 6.1.2

    I am learning there is an issue with 6.1.2 with Captive Portal services where the latest IOS release will not progress beyond the terms and conditions. The next step in the authentricatoin process is certificate check so it would appear Apple has altered the process?
    We have a lot of users complaining now but only 6.1.2 is affected. I have checked previous version on other devices and there is no issue.
    Thanks
    Ken

    Anyone? C'mom, I know some of you techie type folks know how to fix this!

  • Captive Portal not working correctly

    I've seen issues with our wireless systems on WebOS devices running the latest software. If I try and use the HP Tablets with a captive portal log on. I can put in my creds to login hit submit, but nothing happens. Reviewing a sniff trace of the transaction I see "you have reached this page because you browser does not support standard http redirection commands"
    My concern is most people are probably hitting the same issue based on what I have read thus far.

    I am also having trouble with a captive portal on my school's (UC Berkeley) wifi network.
    I can get to the login page, and enter my credentials, but after hitting "submit," nothing happens.
    The little blue bar loads, and completes, but the page stays the same.
    Any answers to this?

  • Apple TV (2nd gen) Support WiFi Captive Portals?

    I can connect to the WiFi but cannot get to he Internet due to the WiFi captive portal.  My iPhone/iPad connect fine. How can one do this via Apple TV? Btw, the provider doesn't support a MAC ACL. It's browser login or nothing.

    Sorry, AppleTV does not support conncetion via a browser login.

  • Captive portals not triggering on Mavericks

    I frequent locations that require a "I accept your policy, please connect me to wi-fi" screens upon connection, before allowing traffic to leave the local network. Prior to Mavericks, a small browser window would display, prompting me to accept and connect. On Mavericks, I have yet to see one of these.
    Here are some pertinent log entries from Console.app:
    0/31/13 8:31:26.665 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Inactive
    10/31/13 8:32:40.289 AM UserEventAgent[11]: Captive: [CNInfoNetworkActive:1655] en0: SSID 'attwifi' not making interface primary (no cache entry)
    10/31/13 8:32:40.289 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Evaluating
    10/31/13 8:32:40.294 AM UserEventAgent[11]: Captive: en0: Probing 'attwifi'
    10/31/13 8:32:40.316 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:40.492 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:40.657 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:40.842 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:41.126 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:41.514 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:41.927 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:42.520 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:43.201 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:43.945 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [wispr_detect_http_done:269] Network Error: Failed to retry probe. Giving up after retrying 10 times
    10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [CaptiveHandleRedirect:1653] Unknown result value: 8, assuming online
    10/31/13 8:32:44.828 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated
    10/31/13 10:13:46.955 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Inactive
    10/31/13 10:14:02.663 AM UserEventAgent[11]: Captive: [CNInfoNetworkActive:1655] en0: SSID 'PANERA' not making interface primary (no cache entry)
    10/31/13 10:14:02.663 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Evaluating
    10/31/13 10:14:02.668 AM UserEventAgent[11]: Captive: en0: Probing 'PANERA'
    10/31/13 10:14:02.829 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:03.005 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:03.187 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:03.369 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:03.653 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:04.039 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:04.513 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:05.096 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:05.766 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:06.549 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
    10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [wispr_detect_http_done:269] Network Error: Failed to retry probe. Giving up after retrying 10 times
    10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [CaptiveHandleRedirect:1653] Unknown result value: 8, assuming online
    10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated
    Anyone having similar issues, or can point me towards a solution?

    I was able to manually trigger the Captive Portal Assistant and work around the issue. Open up Terminal.app and type:
    open /System/Library/CoreServices/Captive\ Network\ Assistant.app
    After that, I saw the window I was expecting and I was able to click the "I agree" button, and afterwards my Internet was working as expected.

  • Pb to reach ISE Guest portal due to DNS constraints

    I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
    everything is OK, except one thing :
    the  Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my  customer firewall and the DHCP parameters provided to the wireless Guest  equipement connected on this VLAN include the public ISP DNS servers  addresses, not the customer internal DNS serveurs addresses;
    this  seems OK since the idea of this Guest SSID is to give a pure Internet  access to the Guests, and no connection at all towards the customer  internal servers;
    the  problem is that, when the wireless guest receives the redictect URL  from ISE (URL to access the ISE Guest Portal), this URL is based on the  ISE DNS name, not on its IP address; so, the PC can't resolve this  internal DNS name by using the ISP DNS servers addresses provided by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    Apart  from changing those DNS values in the DHCP server (the customer does  not accept this solution), how could we solve this problem ?
    I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
    but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
    any comment welcomed

    We had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly.  Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address.  The other option we entertained was a firewall DNS redirect.  That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.

  • How can I change the re-direct URL on the WebKit for Captive Portals?

    Hi,
    I have a guest network at the office that is configured with a captive portal for authentication. My MBP detects that it is behind a Captive Portal when the HTTP WISPr request fails and launches the WebKit (ie. the CNA) as designed and displays the login page. When the login is successful, the Captive Portal displays a success and the WebKit then proceeds to re-direct the browser to http://www.apple.com
    Of late, Apple's homepage has become graphic rich and more often than not, loading the page without caching (since the webkit does not cache the webpage loaded) loading Apple's homepage on the guest network takes over 30-90 seconds depending on the traffic on the network. The OS does not allow me to use the network till the page on the webkit has successfully loaded and the "Done" button appears on the webkit and this often becomes irritating.
    Is there a method to change the redirect URL to something less resource hungry like http://www.google.com or a less graphic rich Apple page (like http://www.apple.com/library/test/success.html)?
    I understand that there is a method to disable Captive Portal Handling, ie.
    sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -boolean false
    However, I don't want to disable Captive Portal Handling in the OS as I don't believe Apps that require internet access will handle the lack of the internet well.
    Any hints would be appreciated.
    Cheers!

    Hey again,
    I did have a look at it and the Settings.plist file isn't very helpful for the issue I have.
    The file defines the probes and exceptions. So you have the default probe WISPr URL in there (http://www.apple.com/library/test/success.html) and the exceptions for specific SSIDs, as an example, attwifi is in the exception list and uses an alternate probe WISPr URL (http://attwifi.apple.com/library/test/success.html). The configuration does not have parameters that would be used by the CNA for the redirect to http://www.apple.com after a succesful Captive Portal login.
    Give it a shot on your laptop, get to a random public wifi like ATT Wifi/Starbucks/Guest Wifi's at office spaces/Boingo etc. and after the successful login, your CNA Webkit will re-direct to http://www.apple.com and the "Done" button won't appear till the page has completely loaded and stays as "Cancel" till the page is loaded.

Maybe you are looking for