AUP Exception for devices that do not support Browser

  • 1
  • Question
  • Updated 5 years ago
  • Answered
We have a guest network where we give access to users to browse the Internet but we do include and AUP acceptance page.

We have a few AppleTV devices that we like to use for user presentation and we like to put an exception for those based on anything that can be supported, MAC, etc....

We currently use another SSID that doesn't use AUP but it is a pain, and a lot of administration to turn it on and off.

Is there any way to do it,
Photo of Christos

Christos

  • 6 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I haven't done this myself, so no guarantees this is the right approach, but under the SSID Configuration page (where you selected an AUP), under Optional Settings, Advanced, there is a button for you to select the User Profile Application Sequence. I *think* you want "MAC Authentication-Captive Web Portal-SSID", assuming you know the MAC addresses of your AppleTVs.
Photo of Christos

Christos

  • 6 Posts
  • 1 Reply Like
Actually we currently have the above option selected but I am not sure what do next? Do I also select "Enable MAC Authentication" and if I do does it use this instead of AUP, and where would I put the MAC addereses?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Christos, I played with this a bit over my lunch hour, and I now think I steered you wrong. Sorry. I don't think that's the right approach.

I think we should wait and see what else the community recommends, or you can contact your reseller or our support organization to see if they have guidance.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
What is actually wrong with using another SSID using a PSK, PPSK and leaving it on all the time? I am having difficulty seeing the administrative burden...

Doing this by MAC address is really insecure so, in my opinion, it is not something that should be encouraged or easy to achieve...

(AppleTVs also have usable 802.1X with the 6.0 release from Apple as they persist the last NTP timestamp to non-volatile flash and use it to seed the system clock on boot.)
Photo of Christos

Christos

  • 6 Posts
  • 1 Reply Like
We can't use another SSID and leave it on all the time because as people start using AppleTV and learn the password for that SSID, even by configuring it one time their device will be connecting to that SSID instead of the one that has the AUP acceptance page.

It will be nice if Aerohive offers an exception from the AUP based on MAC, etc....
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Christos,
Most of our customers deploy AppleTVs the way they do printers; the organization chooses how many and where they'll be located, and then they stay there without the user-base getting access to their configurations, only their services.

I had the same thoughts as Nick once I realized my MAC-auth approach was worng; I was just hesitant to post it since I had struck out once already.

Your last post makes me think you believe your users must be on the same SSID as the AppleTV in order to use it. That's not true. If the two SSIDs map to the same VLAN I don't think you even need our Bonjour Gateway to re-advertize the appletv services...
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You can use a PSK or PPSK on a SSID and set it up on the AppleTV that you own via a MobileConfig with the Apple Configurator... The PSK will not be easily exposed.

(With the 6.0 software for the AppleTV, 802.1X also works via this means.)