This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Captive portal NAC + Apple Devices OSX

Captive portal NAC + Apple Devices OSX

Tiago_Molinos
New Contributor II

‎12-27-2015 06:57 PM

Hi there,

we've been setting up a wireless lan solution with NAC + a couple of identify controllers.
At the moment we're fine tunning the guest network.

I'm running the latest NAC appliance software and version 9.21.04 on the controllers (5110 + v2110).

Right now I'm concerned with two different problems:

1 - Whenever I try to connect an Apple OSX device, it pops up an error:



If I ignore the error and go straight to the browser and open a random page then the portal appears and I can register a device. After the registration is successful I end up in problem #2.

2 - On all Apple devices, after the registration is successful the device never renews the IP address and the eventually an error in the portal is displayed. If I manually reconnect to the network than it gets the correct IP address.

Any suggestion?

Best Regards,

Tiago

0 Kudos
24 REPLIES 24

Joseph_Burnswor
New Contributor III
In response to Joseph_Burnswor

‎12-28-2015 02:37 PM

Yes! I have to do this via Firewalled interfaces lots. So if you setup the DNS redirect like this, Allow your NAC and DNS (internal DNS and only DNS) then this kicks a portal page without issue. I do it this way every time. Not all of my clients have equipment that have DSCP or PBR capabilities. So this is my resolution to that problem.
0 Kudos

Tiago_Molinos
New Contributor II

‎12-28-2015 02:18 PM

Hi Joseph,

I cannot understand what you mean on #1. Are you referring to Extreme's NAC appliance or a different product?

#2 DHCP changes have indeed solved the problem  Thanks for your input!

What I would like to see now is the Captive Portal (NAC) popping up in a OSX El Capitan.
0 Kudos

Joseph_Burnswor
New Contributor III

‎12-28-2015 01:47 PM

Issue #1: When I do the captive portal (Especially in an environment with apple) I use a DNS named redirect. Instead of using https://1.1.1.1/redirect I use http://GuestAccess.myco.com (you will need to make an "A" record for this). I also make sure that I allow port 53 TCP for the secured DNS hijack. This resolves the issues I have had with Apple redirects.

Issue #2: Are you using NAC to change the Policy to a different VLAN? if so, you would need to make the Unregistered VLAN DHCP lease time very short (30 - 45 seconds). This will allow the iOS Devices with sticky leases to renew without any major issues.

Please let us know if this helps. If not, also let us know so that we can further assist you 🙂
0 Kudos

Tiago_Molinos
New Contributor II

‎12-28-2015 10:39 AM

Hi Ron,

I removed apple.com as suggested. It still pops up to all Apple IOS devices (great!) but on OSX machines the popup stopped showing. If I open a browser then I'm correctly redirected and the registration can be then concluded.

I need to change the IP because of several reasons. One of them is that the guest network is actually a topology group comprised of several different balanced networks, another is that I'm also using the captive portal to do registered guest authentication (for BYOD).
Anyway your suggestion to set the DHCP lease to a low value seams to work great. I've set the lease to 45 seconds, but I think I'll tune this value in the future. I don't know how the DHCP server will handle the additional load when I go live with the solution.

I think the solution as it is right now is working as expected, except for the non-existent popup in OSX. Is it possible to have it? I added the "apple.com" again and verified that the popup returns... Can't figure out why it says "A problem occurred"...

Thanks for you answer!

BR

Tiago
0 Kudos

Ronald_Dvorak
Honored Contributor

‎12-27-2015 08:13 PM

Hi,

#1 - not sure whether that is the problem but is "apple.com" removed from the allowed domains.
GUI NAC Manager, Portal Configuration > Network Settings > Allowed Websites > Allowed Domains > remove apple.com

#2 - why does the client need a new IP ?
Is the guest role in another VLAN/subnet. If yes set the DHCP lease in the nonauth Guest VLAN very low so that the client does a renew very often till the client get's the guest role and is in the authenicated-guest VLAN.

I handle it in another way and use the 2nd NIC of the NAC for guest portal access.
I configure the 2nd NIC in the guest VLAN so the client doesn't need to change the VLAN/subnet/IP.

-Ron
0 Kudos
GTM-P2G8KFN