Restric Access to Captive Portal after successfull authentication

Similar Messages

• Creating securityContext manually after successfull authentication

  Hi,
  We have a requirement to integrate ADF application with LDAP. We were able to authenticate but we will not get any roles from LDAP. It's just for authentication purpose only.
  So we need to get roles from DB using authenticated user id. Is there any way to set the roles to ADF Security context once authenticated and get the roles from DB so that i can access roles easily from any page or object using securitycontext.
  Thanks in advance.
  Regards,
  Satya.

  After authentication, there is no place inside the application where you can set the security context. Security context must be set by the authenticator providers registered in weblogic.
  See this Re: Creating securityContext manually after successfull authentication
  Please provide some details regarding how you are authenticating the users and how you want to pass the authenticated user to weblogic for deriving roles.
  As your roles reside in DB, you have two options:
  1. Standard approach is to use OVD database adapter, for getting roles.
  2. If you don't have OVD, then I will suggest create a custom weblogic MBean authenticator and register it in weblogic security realm as a authentication provider. See this post
  In your case, you have done the authentication part already so you just need to set the principals for the subject calling your database logic:
  1. Implement AuthenticationProvider interface
  2. Implement LoginModule interface and override doLogin method. Inside this method call you custom db logic to fetch roles.
  Edited by: Sachin Saxena on Sep 6, 2012 12:26 PM

• Trouble accessing a "Captive Portal"

  Recently I was unable to access a WiFi network at a commercial location. Their tech services were baffled because other users were having no trouble at all. They told me that several other Mac users had been unable to log on as well. After I got home I read up on this and found that they were using a Captive Portal to redirect my log on. Googling these terms I find others with Macs asking for help but getting no response. One poster suggested it was a problem that began with an upgrade to Snow Leopard.
  I'm using 10.6.6 and frustrated with my inability to log in. Can anyone suggest a solution.
  MacTrekker

  I can't say for certain what is going wrong in your case but I can confirm it is possible to do an ARD connection i.e. Screen Sharing to a remote user connected via a VPN. The way we do this is to get the user to connect to the VPN server (a Mac OS X Server), then on the Mac OS X Server in Server Admin see what IP address they have been allocated by the VPN server, then tell ARD Admin to connect to that IP address.
  This works fine for me.
  The IP address will be a 'local'  to the ARD and VPN machines IP address it would not be the remote public or private IP addresses.

• How to permit Google play store access for captive portal guest users?

  Introduction : There could be occasions when we need to permit Google play store access for guest users, A common example could be a hotel environment where unauthenticated users are allowed to access the hotel website and directed to Google play store to download their Apps.
  Environment : This article applies to all controller models and AOS versions 6.1.3.x and higher.
  Configuration Steps :
  The Google Play app store (play.google.com) is a cloud service, and the addresses it uses may change regularly. This presents a challenge to permit access to those ranges. The current solution is to permit these addresses that are known to be used by the Android Marketplace, as shown here:
  .ggpht.com
  android.clients.google.com
  play.google.com
  The configuration is about creating an alias with the above URL’s and a firewall policy where you can permit traffic to the alias.
  Step 1: Create an Alias
  (Aruba3200XM) #configure t
  (Aruba3200XM) (config) #netdestination Google-Play
  (Aruba3200XM) (config-dest) #name android.clients.google.com
  (Aruba3200XM) (config-dest) #name *.ggpht.com
  (Aruba3200XM) (config-dest) #name play.google.com  
   Step 2: Create the session-based access list.
  (Aruba3200XM) (config) #ip access-list session google-play
  (Aruba3200XM) (config-sess-google-play)#user alias Google-Play any permit
  Step 3: Assign the session-based access list to the guest captive portal pre-auth user role.
  (Aruba3200XM) (config) #user-role guest-logon
  (Aruba3200XM) (config-role) #session-acl google-play position 3
  Verification :
  (Aruba3200XM) #show netdestination
  Name: Google-Play
  Position  Type  IP addr   Mask-Len/Range
  1         name  0.0.0.1   android.clients.google.com
  2         name  0.0.0.2   *.ggpht.com
  3         name  0.0.0.3   play.google.com
  (Aruba3200) #show rights guest-logon
  Derived Role = 'guest-logon'
   Up BW:No Limit   Down BW:No Limit
   L2TP Pool = default-l2tp-pool
   PPTP Pool = default-pptp-pool
   Periodic reauthentication: Disabled
   ACL Number = 6/0
   Max Sessions = 65535
   Captive Portal profile = default
  access-list List
  Position  Name              Type     Location
  1         ra-guard          session
  2         logon-control     session
  3         google-play       session
  4         captiveportal     session
  5         v6-logon-control  session
  6         captiveportal6    session
  google-play
  Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
  1         user    Google-Play  any      permit                           Low                                                           4
  Troubleshooting :
  Make sure ip name-server, ip domain-name and ip domain lookup are configured on the controller.
  Also you must have a PEFNG license to configure or view a destination.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

  Requirement:
  How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
  What is Airwatch MDM?
  Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
  Solution:
  Why we need to allow access to Airwatch MDM?
  The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
  Configuration:
  Below is the configuration
  Configuration steps:
  1. Create the following netdestinations
  netdestination Airwatch
    name *.awagent.com
    name *.awmdm.com
    name air-watch.com
  netdestination Google-Play
    name android.clients.google.com
    name .ggpht.com
    name gstatic.com
    name accounts.google.com
    name clients1.google.com
    name clients2.google.com
    name clients3.google.com
    name clients4.google.com
    name i.ytimg.com
    name google-analytics.com
    name .1e100.net
    name android.l.google.com
    name mtalk.google.com
    name clients.l.google.com
    name googleapis.com
    name gvt1.com
  netdestination BlackBerry
    name *.blackberry.com
  2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
  ip access-list session Airwatch_Access
    any   alias Airwatch svc-http  permit
    any   alias Airwatch svc-https  permit
  ip access-list session Google-Play-Store
                 any   alias Google-Play any permit
  ip access-list session BlackBerry-Access
                 any   alias BlackBerry any permit
  3. Now map the session ACLs to captive-portal pre-authentication Role as follows
  user-role Guest-Pre-Auth-Role
   access-list session Airwatch_Access
   access-list session Google-Play-Store
   access-list session BlackBerry-Access
   access-list session logon-control
   access-list session captiveportal
  4. Now whitelist the list of domain names in the Captive Portal profle
  aaa authentication captive-portal Airwatch-Captive-Portal-Profile
  white-list Airwatch
  white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
  white-list BlackBerry
  Verification
  Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

• After successful authentication, Redirection is not working properly.

  I am protecting an application with OAM 11g say http://ohs-host:7777/test/. If I am accessing http://ohs-host:7777
  /test/, I am getting OAM login page. I have enabled SSL for OAM and the login page which I am getting is a https
  url (https://LB-IP/oam/server/obrareq.cgi?encquery....). After successfull authentication it is redirecting me to https://ohs-host/obrar.cgi?encreply.... and I will get a 404 error.
  Here after successfull authentication it is redirecting to https url and port number also removed from the url. If I change the url manually by changing https to http and add port number 7777, it will navigate me to the requested page.
  please help !
  regards
  Shantanu

  Hi,
  Sorry to hear your issue.
  Please remember always need to backup before updating.
  You can use Nokia ovi service for this.
  Can you give me so information to study this case:
  1. I need to know which countryyou live
  2. Which sw versions he has upgraded from and to
  3. The product code of the phone (7 digit under the battery)
  4. by which method has he upgraded the software? – FOTA, NSU, or at the Service Centre?
  Br
  Mahyav

• Automatic disconnection from AP when timed out (session or authentication) from captive portal

  Captive portal implementation permits/blocks web traffic. When a user is timed out (authentication & session) it still occupies a channel as seen in the clients list. How can we disconnect a host that is timed out?

  There is NO Failed Authenticated list.These are the only available tabs in the lapac1200Captive Portal Global Configuration  Portal Profiles  Local User  Local Group  Web Customization  Profile Association  Client Information

• How can I change the re-direct URL on the WebKit for Captive Portals?

  Hi,
  I have a guest network at the office that is configured with a captive portal for authentication. My MBP detects that it is behind a Captive Portal when the HTTP WISPr request fails and launches the WebKit (ie. the CNA) as designed and displays the login page. When the login is successful, the Captive Portal displays a success and the WebKit then proceeds to re-direct the browser to http://www.apple.com
  Of late, Apple's homepage has become graphic rich and more often than not, loading the page without caching (since the webkit does not cache the webpage loaded) loading Apple's homepage on the guest network takes over 30-90 seconds depending on the traffic on the network. The OS does not allow me to use the network till the page on the webkit has successfully loaded and the "Done" button appears on the webkit and this often becomes irritating.
  Is there a method to change the redirect URL to something less resource hungry like http://www.google.com or a less graphic rich Apple page (like http://www.apple.com/library/test/success.html)?
  I understand that there is a method to disable Captive Portal Handling, ie.
  sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -boolean false
  However, I don't want to disable Captive Portal Handling in the OS as I don't believe Apps that require internet access will handle the lack of the internet well.
  Any hints would be appreciated.
  Cheers!

  Hey again,
  I did have a look at it and the Settings.plist file isn't very helpful for the issue I have.
  The file defines the probes and exceptions. So you have the default probe WISPr URL in there (http://www.apple.com/library/test/success.html) and the exceptions for specific SSIDs, as an example, attwifi is in the exception list and uses an alternate probe WISPr URL (http://attwifi.apple.com/library/test/success.html). The configuration does not have parameters that would be used by the CNA for the redirect to http://www.apple.com after a succesful Captive Portal login.
  Give it a shot on your laptop, get to a random public wifi like ATT Wifi/Starbucks/Guest Wifi's at office spaces/Boingo etc. and after the successful login, your CNA Webkit will re-direct to http://www.apple.com and the "Done" button won't appear till the page has completely loaded and stays as "Cancel" till the page is loaded.

• Bug in wifi/wireless connection with captive portal in UK/London ?

  With my macbook pro (10.6.4) & iphone (iOS 4), I do not manage to have an easy connect on free wifi captive portals in London. They all are new connections (unknown networks before).
  * dhcpd lease seems to be instable. I can get wifi connection (with good wifi signal strength) but most of the time get a "non-allocated" lease like 169.254.57.x/24 without any router/dns. A few rare times, the dhcp server give a me a complete ip connection.
  * in the rare case where IP connection could established, I was not redirected to the captive portal. I had to manually enter its address (in my case <IP>:8000, you need to guess) and even after authentication, I can't browse the Internet. In one of my test, I managed to resolve dns entry but can't browse the web.
  I tried during an hour and I couldn't make it on work on my Macbook. work a small time with the iPhone.
  tested in McDo free wifi and Airbox Public Wifi of EasyHotel (Airbox system). also have problem with "Wifi Zone - The Cloud".
  ok in Starbucks and in St Pancras Free Wifi.
  Found these threads which could be related but no real solutions:
  http://discussions.apple.com/thread.jspa?messageID=11875166&#11875166
  This is probably the router's fault but I can't check this.

  Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
  I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
  Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

• ISE captive portal timeouts and radio policy

  Hello!
  I have two questions.
  First, have some of you guys worked with the captive portal in ISE (guestportal)?
  I have set up a new wireless network for a customer and they want to use the guest portal for som users.
  The problem that I am expering is that on a particular site with many small buildings user complains that they have to reauthenticate using the webportal when moving between the buildnings.
  I have tired extending the idle user timeout on that particular wlan in the cisco 5508, but I still having this problem.
  I would actually like if the user login via the guestportal at the beginning of the work day and after say 4-5 hours they have to reautencitcate.
  And if they loose network connectivity (moving between buildings, iphone/andriod shutting down wifi adapter, etc) they shuld be fine connecting again because they have aldready authecnticated once during the last 4-5 hours.
  Is this possible via the ISE?
  My second question deals with 2.4 and 5 Ghz band.
  I use AP groups on each of my distribution areas. All groups have the same SSID but diffrenet egress interfaces (interfaces groups).
  And in some of these I want to save the 5 GHz band for voice over wlan and in others i would like to use both bands.
  Do I have to create diffrent wlan profiles with diffrent radio policys and same SSID or could I do this in the AP group settings using RF-profiles?
  Hope for some help!
  //Simon

  Your first answer  is there is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
  2nd : You can use the AP group settings using RF-profiles to achieve this task.1st: There is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
  your seconde answer : You can use the AP group settings using RF-profiles to achieve this task.

• How do I access the AF Portal with SCR331 reader in Mac OS 10.5.6

  I have searched every website known to man and I am unable to find a way to access the AF Portal using a CAC reader issued to me. It is an SCR331. It shows up just fine in Keychain Access and I am successful in adding a new identity for the website. But when I go to the website www.my.af.mil and hit the button to access using my CAC card, it says that I have hit the Cancel button.
  Any ideas?

  To All,
  I encountered the same problems you describe with the Air Force portal. Followed all recommendations to no avail. After lots of trial and error this is what I did in my setup and worked:
  1. close all open programs. Open keychain access, connect the reader, insert CAC, select CAC keychain by clicking on it once, you will see a list with 3 certificates and 3 private keys to the right.
  2. double click on the certificates and find the one that shows "Usage Digital Signature, Non-Repudiation" and Purpose #1 Smartcard Logon, Purpose #2 Email Protection, Purpose #3 Client Authentication". This is the right certificate for online CAC authentication.
  3. control-click the CAC certificate identified as the right one in step 2 and create an identity preference for each server addresses that the AF Portal has:
  https://www.my.af.mil/EAI_JUNCTION/eai/
  https://www.my.af.mil/EAI_JUNCTION/eai/auth
  https://www.my.af.mil
  I had to create an identity preference for each; for some reason if I don't use all three, login fails.
  If you also want to access the virtual MPF, also create an identity preference with the following server: https://w20.afpc.randolph.af.mil/afpcsecurenet20/
  Note that these server addresses are case-sensitive and you need to put the "/" just as I did above.
  4. verify the identity preferences were created by selecting the login keychain, you should see them in there.
  5. open safari and enter: https://www.my.af.mil in the safari address bar. Enter PIN number if requested. I have noticed that sometimes it will work flawlessly and sometimes the server will reject the certificate and ask you to select a different one. If I select the one that says DOD EMAIL CA-15 and hit enter (sometimes repeatedly) it will then work. Don't know why this happens but have read is a USAF server-side issue.
  Once you are able to access the portal, logout and try the vMPF by entering https://w20.afpc.randolph.af.mil/afpcsecurenet20/ in the Safari address bar
  hit OK if presented with a consent screen. You may be given a username/password screen, reenter https://w20.afpc.randolph.af.mil/afpcsecurenet20/ into the address and try again, you should be in AFPC secure.
  I tested this in a 2008 white macbook with an OmniKey 3121 USB reader and an Oberthur ID One v5.2 CAC card. My OS is 10.5.6.
  Please let me know if this helps.
  R Burgos

• Captive portals not triggering on Mavericks

  I frequent locations that require a "I accept your policy, please connect me to wi-fi" screens upon connection, before allowing traffic to leave the local network. Prior to Mavericks, a small browser window would display, prompting me to accept and connect. On Mavericks, I have yet to see one of these.
  Here are some pertinent log entries from Console.app:
  0/31/13 8:31:26.665 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Inactive
  10/31/13 8:32:40.289 AM UserEventAgent[11]: Captive: [CNInfoNetworkActive:1655] en0: SSID 'attwifi' not making interface primary (no cache entry)
  10/31/13 8:32:40.289 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Evaluating
  10/31/13 8:32:40.294 AM UserEventAgent[11]: Captive: en0: Probing 'attwifi'
  10/31/13 8:32:40.316 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:40.492 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:40.657 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:40.842 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:41.126 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:41.514 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:41.927 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:42.520 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:43.201 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:43.945 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [wispr_detect_http_done:269] Network Error: Failed to retry probe. Giving up after retrying 10 times
  10/31/13 8:32:44.827 AM UserEventAgent[11]: Captive: [CaptiveHandleRedirect:1653] Unknown result value: 8, assuming online
  10/31/13 8:32:44.828 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated
  10/31/13 10:13:46.955 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Inactive
  10/31/13 10:14:02.663 AM UserEventAgent[11]: Captive: [CNInfoNetworkActive:1655] en0: SSID 'PANERA' not making interface primary (no cache entry)
  10/31/13 10:14:02.663 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Evaluating
  10/31/13 10:14:02.668 AM UserEventAgent[11]: Captive: en0: Probing 'PANERA'
  10/31/13 10:14:02.829 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.005 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.187 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.369 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:03.653 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:04.039 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:04.513 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:05.096 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:05.766 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:06.549 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [async_http_read_stream:387] kCFStreamEventErrorOccurred NSPOSIXErrorDomain/51: The operation couldn’t be completed. Network is unreachable
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [wispr_detect_http_done:269] Network Error: Failed to retry probe. Giving up after retrying 10 times
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: [CaptiveHandleRedirect:1653] Unknown result value: 8, assuming online
  10/31/13 10:14:07.421 AM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated
  Anyone having similar issues, or can point me towards a solution?

  I was able to manually trigger the Captive Portal Assistant and work around the issue. Open up Terminal.app and type:
  open /System/Library/CoreServices/Captive\ Network\ Assistant.app
  After that, I saw the window I was expecting and I was able to click the "I agree" button, and afterwards my Internet was working as expected.

• Setting UP Captive Portal ON 5508 WLC

  Dear All,
  I do know that captive portal could be setup on cisco 5508, such that internet users could login as follows:
  Username, password , login duration  etc.
  however i would like to know whether the above configuration would work with just 5508 and MS Active directory.or do we need any other device to achieve this.
  secondly can we upload a customised login web page from which users can login and gain access to the internet ?
  Jude.

  1. i would like to know whether the above configuration would work with just 5508 and MS Active directory
  Yes, you would need to configure an LDAP server on the WLC pointed to your MS AD, binding properly.  Then, make sure your L3 authentication priority is configured to query LDAP first.  This works pretty well in a L3 web-auth scenario, but is limited when using LOCAL EAP
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml
  2. can we upload a customised login web page from which users can login and gain access to the internet ?
  Yes; start by downloading the webauth_bundle.zip for your respective release/platform. 
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1049404

• IOS 6 Wi-Fi Issue (Campus Captive Portal)

  Hey there,
  I know some of people facing Wi-Fi connection problems after iOS 6 update.
  There are a lot of threads and solutions about this problem. But mine is bit different.
  I have an iPad and after i update to iOS 6 there wasn't any issue about Wi-Fi connection.
  I surfed all day long , upload and download many thing using my home Wi-Fi network.
  Today I couldn't connect to my campus' Wi-Fi network. I turned on my phone's hotspot
  and iPad connected to my phone's cellular based network just fine. I tried to connect directly with my phone to campus' network and my phone also connected just fine. When i searched the web i saw a lot of Wi-Fi issue thread about iOS 6. I have read all of them but my problem is bit different.
  My campus' network is using a Captive Portal thing to get internet access. So you have to enter your user id and password after you connect wirelessly.
  When i was using iOS 5.1.1 iPad was connecting to network automatically and waiting for me to open safari or chrome and enter my id and password.
  But now after i joined to network a window pops up and and wants me to enter id and password (not an apple page, my own university page) and at the same time connection drops and wi-fi icon get lost so my log-in info can't send. I open and wi-fi panel and connect again and same thing occurs. Pop-up window and connection lost. This is a vicious cycle i think and everybody using iOS 6 in my campus facing same problem. iPhone iPad iPod Touch users can not connect because of this problem.
  I have done everything that written about common Wi-Fi issue.
  I am sorry about my broken English BTW.
  Waiting for your help.

  If you experiencing the above subject heading, please read below
  Go to Settings, General, About
  Scroll down till you see Modem Firmware
  Reply Back with your Modem Firmware
  Modem Firmware: 04.12.02
  Wireless Access Point Device: NetGear WG102 which is superceded by NetGear WG103.
  I have Firmware 5.0 for this device
  Also check your IOS Version and (BUILD)
  If your Modem Firmware is LESS than the above, then you have the same problem as myself and many others with Wireless Connectivity issues to WAP's
  It is my understanding, unless im proven wrong by anyone with my above findings, this can only be fixed by APPLE. I have reported this as a BUG
  Please REPLY only to this thread if you're criteria is less than the MODEM FIRMWARE listed
  Im checking to see if i can be proven wrong in my findings.
  I have performed the below
  Backup Phone
  Factory Reset
  Network Reset
  Hard Reset
  Soft Reset
  Apply Store in Australia, Sydney CBD George St have tried the above with meand cant help either.
  Apple support via the phone cant help. This problem has now been logged as a BUG for the time being.

• ISE Wired captive portal

  I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
  For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

  In the same document you have
  Wired NAD Interaction for Central WebAuth
  If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
  The Central WebAuth triggered by a MAB failure flow follows these steps:
  1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
  2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
  3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
  4. The client machine connects and the NAD initiates a MAB request.
  5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
  The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
  https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
  6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
  7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
  8. The gateway URL value with action CWA redirects to the guest portal login page.
  9. The client enters the username and password and submits the login form.
  10. The guest action server authenticates the user credentials provided.
  11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
  12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
  Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
  13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
  14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
  15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
  16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.