ISE Wired captive portal

Similar Messages

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE captive portal timeouts and radio policy

  Hello!
  I have two questions.
  First, have some of you guys worked with the captive portal in ISE (guestportal)?
  I have set up a new wireless network for a customer and they want to use the guest portal for som users.
  The problem that I am expering is that on a particular site with many small buildings user complains that they have to reauthenticate using the webportal when moving between the buildnings.
  I have tired extending the idle user timeout on that particular wlan in the cisco 5508, but I still having this problem.
  I would actually like if the user login via the guestportal at the beginning of the work day and after say 4-5 hours they have to reautencitcate.
  And if they loose network connectivity (moving between buildings, iphone/andriod shutting down wifi adapter, etc) they shuld be fine connecting again because they have aldready authecnticated once during the last 4-5 hours.
  Is this possible via the ISE?
  My second question deals with 2.4 and 5 Ghz band.
  I use AP groups on each of my distribution areas. All groups have the same SSID but diffrenet egress interfaces (interfaces groups).
  And in some of these I want to save the 5 GHz band for voice over wlan and in others i would like to use both bands.
  Do I have to create diffrent wlan profiles with diffrent radio policys and same SSID or could I do this in the AP group settings using RF-profiles?
  Hope for some help!
  //Simon

  Your first answer  is there is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
  2nd : You can use the AP group settings using RF-profiles to achieve this task.1st: There is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
  your seconde answer : You can use the AP group settings using RF-profiles to achieve this task.

• Bug in wifi/wireless connection with captive portal in UK/London ?

  With my macbook pro (10.6.4) & iphone (iOS 4), I do not manage to have an easy connect on free wifi captive portals in London. They all are new connections (unknown networks before).
  * dhcpd lease seems to be instable. I can get wifi connection (with good wifi signal strength) but most of the time get a "non-allocated" lease like 169.254.57.x/24 without any router/dns. A few rare times, the dhcp server give a me a complete ip connection.
  * in the rare case where IP connection could established, I was not redirected to the captive portal. I had to manually enter its address (in my case <IP>:8000, you need to guess) and even after authentication, I can't browse the Internet. In one of my test, I managed to resolve dns entry but can't browse the web.
  I tried during an hour and I couldn't make it on work on my Macbook. work a small time with the iPhone.
  tested in McDo free wifi and Airbox Public Wifi of EasyHotel (Airbox system). also have problem with "Wifi Zone - The Cloud".
  ok in Starbucks and in St Pancras Free Wifi.
  Found these threads which could be related but no real solutions:
  http://discussions.apple.com/thread.jspa?messageID=11875166&#11875166
  This is probably the router's fault but I can't check this.

  Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
  I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
  Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

• Captive Portal spinner is ultra small

  Please refer to attachment. Not annoying stuff but a little of strange there.

  Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
  I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
  Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

• Captive Portal with Wireless Mobility

  Has anyone successfully configured a captive portal/proxy while maintaining their WDS infrastructure?
  We're wanting to make users accept a user agreement before being able to progress to the outside world. We're currently using m0n0wall to accomplish this on our wired network, but with the interesting way that the wireless traffic actually enters the network through the tunnel/loopback int its creating some confusion for me.
  Can it be as simple as changing the tunnel source to a VLAN instead of a loopback? Anyone have any insight?

  The Captive Portal is used to control what happens when an application request, layers 5-7, is redirected to Layer 3-4 (i.e. when the destination IP address or port number of a request from an application is changed, and the application layers in the protocol request still have the previous IP address or domain and port number encode in them). This is analogous to the Network Address Translation (NAT) function performed by a router.
  http://www.cisco.com/en/US/tech/tk722/tk721/technologies_white_paper09186a00801a0c62.shtml

• Automatic disconnection from AP when timed out (session or authentication) from captive portal

  Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?

  There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration  Portal Profiles  Local User  Local Group  Web Customization  Profile Association  Client Information

• Anyconnect 3.1 Captive Portal False Alert Stops Users Connecting.

  Hi All,
  I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting.
  This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below.
  "The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
  Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail.
  Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
  Any advice would be appreciated, just let me know what extra details to post if needed.
  Many thanks,
  Josh Campbell

  Hi Joshua,
  The below information could be located at
  www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html
  False Captive Portal Detection
  AnyConnect can falsely assume it is in a captive portal in the following situations.
  •If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a "captive portal" environment.
  To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile.
  •If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a "captive portal" environment. This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA.
  If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic  to the ASA's address does not return an HTTP status. HTTP/HTTPS access to the ASA should either be allowed or completely  blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent
  There is also a bug filed for this. Just for your reference,
  CSCud17825 - Anyconnect captive portal
  Regards,
  Srikanth K S.

• Laptop no longer loads Captive Portal following Windows 8.1 upgrade

  Since upgrading to Win 8.1 from Win 8, I no longer see a captive portal displayed whenever I try to connect to a wireless network that requires additional login information.  Some WiFi networks require you to click their Terms and Conditions box
  or add some additional logon information and they splash up a Captive Portal screen to allow you to enter the information.  Without entering this information I receive an IP address for my wireless adapter ok, but end up with a "Limited Internet"
  connection.  Which means I cannot connect to the Internet at all.  This exact same problem has happened to two colleagues of mine that recently upgraded to Windows 8.1 on their laptops.  Any help will be much appreciated.

  Hello Grantlsmith,
  Do you receive any error message when you connect to a wireless network that requires additional login information?
  Or you just connect to the Wi-Fi with limited Internet, and nothing pop up?
  Please take the following steps for troubleshooting:
  1. Please provide the result of the command ipconfig –all
  2. Ping the IP address of URL and check if we can contact.
  3. Type in the URL that can use in Windows 8 and check if we can open the Captive Portal
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Infoblox Captive Portal will not pass the "Accept" screen on Iphone or ipad 6.1.2

  I am learning there is an issue with 6.1.2 with Captive Portal services where the latest IOS release will not progress beyond the terms and conditions. The next step in the authentricatoin process is certificate check so it would appear Apple has altered the process?
  We have a lot of users complaining now but only 6.1.2 is affected. I have checked previous version on other devices and there is no issue.
  Thanks
  Ken

  Anyone? C'mom, I know some of you techie type folks know how to fix this!

• Captive Portal not working correctly

  I've seen issues with our wireless systems on WebOS devices running the latest software. If I try and use the HP Tablets with a captive portal log on. I can put in my creds to login hit submit, but nothing happens. Reviewing a sniff trace of the transaction I see "you have reached this page because you browser does not support standard http redirection commands"
  My concern is most people are probably hitting the same issue based on what I have read thus far.

  I am also having trouble with a captive portal on my school's (UC Berkeley) wifi network.
  I can get to the login page, and enter my credentials, but after hitting "submit," nothing happens.
  The little blue bar loads, and completes, but the page stays the same.
  Any answers to this?

• Apple TV (2nd gen) Support WiFi Captive Portals?

  I can connect to the WiFi but cannot get to he Internet due to the WiFi captive portal.  My iPhone/iPad connect fine. How can one do this via Apple TV? Btw, the provider doesn't support a MAC ACL. It's browser login or nothing.

  Sorry, AppleTV does not support conncetion via a browser login.

• Captive portals not triggering on Mavericks

  I frequent locations that require a "I accept your policy, please connect me to wi-fi" screens upon connection, before allowing traffic to leave the local network. Prior to Mavericks, a small browser window would display, prompting me to accept and connect. On Mavericks, I have yet to see one of these.
  Here are some pertinent log entries from Console.app:
  0/31/13 8:31:26.665 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Inactive
  10/31/13 8:32:40.289 AM UserEventAgent[11]: Captive: [CNInfoNetworkActive:1655] en0: SSID 'attwifi' not making interface primary (no cache entry)
  10/31/13 8:32:40.289 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Evaluating
  10/31/13 8:32:40.294 AM UserEventAgent[11]: Captive: en0: Probing 'attwifi'
  10/31/13 8:32:40.316 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:40.492 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:40.657 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:40.842 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:41.126 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:41.514 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:41.927 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:42.520 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:43.201 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:43.945 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [wispr_detect_http_done:269] Network Error: Failed to retry probe. Giving up after retrying 10 times
  10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [CaptiveHandleRedirect:1653] Unknown result value: 8, assuming online
  10/31/13 8:32:44.828 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated
  10/31/13 10:13:46.955 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Inactive
  10/31/13 10:14:02.663 AM UserEventAgent[11]: Captive: [CNInfoNetworkActive:1655] en0: SSID 'PANERA' not making interface primary (no cache entry)
  10/31/13 10:14:02.663 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Evaluating
  10/31/13 10:14:02.668 AM UserEventAgent[11]: Captive: en0: Probing 'PANERA'
  10/31/13 10:14:02.829 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.005 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.187 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.369 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.653 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:04.039 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:04.513 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:05.096 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:05.766 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:06.549 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [wispr_detect_http_done:269] Network Error: Failed to retry probe. Giving up after retrying 10 times
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [CaptiveHandleRedirect:1653] Unknown result value: 8, assuming online
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated
  Anyone having similar issues, or can point me towards a solution?

  I was able to manually trigger the Captive Portal Assistant and work around the issue. Open up Terminal.app and type:
  open /System/Library/CoreServices/Captive\ Network\ Assistant.app
  After that, I saw the window I was expecting and I was able to click the "I agree" button, and afterwards my Internet was working as expected.

• ISE and Guest Portal

  WLC - 7.2.110.0
  ISE - 1.1.1
  I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
  At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
  I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• How can I change the re-direct URL on the WebKit for Captive Portals?

  Hi,
  I have a guest network at the office that is configured with a captive portal for authentication. My MBP detects that it is behind a Captive Portal when the HTTP WISPr request fails and launches the WebKit (ie. the CNA) as designed and displays the login page. When the login is successful, the Captive Portal displays a success and the WebKit then proceeds to re-direct the browser to http://www.apple.com
  Of late, Apple's homepage has become graphic rich and more often than not, loading the page without caching (since the webkit does not cache the webpage loaded) loading Apple's homepage on the guest network takes over 30-90 seconds depending on the traffic on the network. The OS does not allow me to use the network till the page on the webkit has successfully loaded and the "Done" button appears on the webkit and this often becomes irritating.
  Is there a method to change the redirect URL to something less resource hungry like http://www.google.com or a less graphic rich Apple page (like http://www.apple.com/library/test/success.html)?
  I understand that there is a method to disable Captive Portal Handling, ie.
  sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -boolean false
  However, I don't want to disable Captive Portal Handling in the OS as I don't believe Apps that require internet access will handle the lack of the internet well.
  Any hints would be appreciated.
  Cheers!

  Hey again,
  I did have a look at it and the Settings.plist file isn't very helpful for the issue I have.
  The file defines the probes and exceptions. So you have the default probe WISPr URL in there (http://www.apple.com/library/test/success.html) and the exceptions for specific SSIDs, as an example, attwifi is in the exception list and uses an alternate probe WISPr URL (http://attwifi.apple.com/library/test/success.html). The configuration does not have parameters that would be used by the CNA for the redirect to http://www.apple.com after a succesful Captive Portal login.
  Give it a shot on your laptop, get to a random public wifi like ATT Wifi/Starbucks/Guest Wifi's at office spaces/Boingo etc. and after the successful login, your CNA Webkit will re-direct to http://www.apple.com and the "Done" button won't appear till the page has completely loaded and stays as "Cancel" till the page is loaded.