Avoid device going through captive portal

  • 2
  • Question
  • Updated 5 months ago
  • Answered
We are trying to use a chromecast to display images and such as our work phones are android. Our issue is the CWP is stopping the chromecast from connecting as it does not have a browser. 

Is there a way to have certain devices (chromecast) circumnavigate the CWP?
Photo of Harvey Grayson

Harvey Grayson

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Yes, offer another SSID that does not have a CWP configured on it.
Photo of Harvey Grayson

Harvey Grayson

  • 2 Posts
  • 0 Reply Likes
Thank you, I will try this.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Nick's suggestion is the right way, today. Recognizing that creating multiple SSIDs is often undesirable we are looking to (finally) add the ability to specify a whitelist of MAC addresses that will bypass the CWP in a future release of HiveOS.

Before people ask, no, it won't be in the one coming out right now.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
So, as we know, certain device classes do not support a CWP as there is either no user interaction or a Web browser. Typically, but not always, the manufacturers will have used dedicated OUIs for these devices and these can be matched.

(We also do not see many Xerox or Ricoh tablets, laptops or phones etc for example.)

Where such devices do not use a dedicated MAC OUI and instead overlap with other device classes, often a DHCP fingerprint can often be used alone instead or in conjunction with a MAC OUI to identify a device class.

Just food for thought! If you are using a CWP, a desire for convenience rather than security is already there.

I do not actually see it being that useful to exempt based on HTTP user agent or some other method of operating system detection. I really meant the former, DHCP fingerprinting.
(Edited)
Photo of james.gaudet

james.gaudet

  • 6 Posts
  • 0 Reply Likes

I've now got this setup with two SSID. is there a way to not broadcast the SSID? Or only allow certain MAC addresses onto the new SSID( I do NOT have an external RADIUS server)?

Leaving it open defeats the purpose of having a CWP on the first SSID, as users will simply choose the second one.

 


(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The best way of restricting access is to use a WPA2-Personal PSK on that SSID, certainly don't leave it open.

All CWPs are by nature insecure, if you want security, you should move to an 802.1X or PPSK deployment.

Hidden SSIDs are nearly always a bad idea so you almost certainly do not want to do this.
(Edited)
Photo of wombat

wombat

  • 62 Posts
  • 3 Reply Likes
Can we return any attributes in a successful mac-auth that will allow the device to bypass the captive portal?

I mean, other devices not allowed just fall through to the captive portal as normal.
Photo of hector

hector, Employee

  • 1 Post
  • 0 Reply Likes
Captive web portal bypass (by mac address), was added in HiveOS 6.4r1.  Here's how to configure it:  http://www.aerohive.com/330000/docs/help/english/6.4r1/hm/full/help.htm#ref/using-supplemental-cli-e...
Photo of Kevin Gee

Kevin Gee

  • 54 Posts
  • 4 Reply Likes
Hi All, 
>>we are looking to (finally) add the ability to specify a whitelist of MAC addresses that will bypass
>>the CWP in a future release of HiveOS

Did this ever get added?  I can't see an option anywhere so I assume not, but it would be good to know I'm not missing something.
regards, Kevin.
Photo of joy

joy

  • 21 Posts
  • 0 Reply Likes
I'm also looking for this feature, any updates on this?... 
Regards 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi,

Just to close the loop on this thread and make the information shared by hector more visible, this is now supported by via a MAC address whitelist or via MAC authentication via RADIUS. The latter has no limit in the number of addresses that can be supported.


1) You can do this via on-device MAC address white listing by configuring the following via supplemental CLI after previously configuring a CWP via the GUI:

security-object <string> security mac-white-list mac-object <string>
security-object <string> security mac-white-list bypass-cwp

There is also the companion command:

show security-object <string> security mac-white-list


2) You can do this via MAC authentication by configuring the following via supplemental CLI after previously configuring an external CWP with MAC authentication via the GUI:

security-object <string> security additional-auth-method mac-based-auth fallback-to-ecwp

This changes the behaviour so rather than CWP and MAC authentication having to pass, MAC authentication is attempted first. If this succeeds, the CWP is not displayed. If it fails, the CWP is displayed.

Be careful to set the user profile application sequence to SSID, CWP then MAC authentication.


Please make sure that you use HiveOS 6.5r7 or later, or HiveOS 8.0r1 or later, particularly in the MAC authentication case.

Thanks,

Nick
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
In the white listing case, do remember to take a look at: http://docs.aerohive.com/330000/docs/help/english/6.4r1/hm/full/help.htm#ref/using-supplemental-cli-...

You need mac-objects to exist too.
Photo of Fabien Gaille

Fabien Gaille

  • 53 Posts
  • 3 Reply Likes
404 not found =( I was looking for "MAC Address Bypass Enhancement" as well.

Thanks a lot for your feedback. It's true I didn't see the reply from Hector during my investigation.

Cheers,
Fabien
Photo of Irteza Rana

Irteza Rana

  • 5 Posts
  • 0 Reply Likes
is there any functional link ? all the documentation links posted above are not functional
Photo of Irteza Rana

Irteza Rana

  • 5 Posts
  • 0 Reply Likes
Is there any way we can achieve this in more efficient way .. rather than creating a totally new SSID ?  how can we whitelist specific mac address on our entire network rather than configuring it on each single AP.

keeping in mind the same use case.. chromecast mac address whitelist to bypass captive portal on your entire wireless network
Photo of Fabien Gaille

Fabien Gaille

  • 53 Posts
  • 3 Reply Likes
You should consider "CLI Supplement". I think that's a quite efficient way (maybe the only one actually) to deal with that. I'm using it on a daily bases.

I don't have documentation but please find here my configuration :

Config > Advanced configuration > Common objects > CLI Supplement > Edit 'BypassCWPwithMAC'

mac-object bd mac-range 9465:9c6b:ad46 - 9465:9c6b:ad46
mac-object bd mac-range 6cad:f8a72:ce6 - 6cad:f8a72:ce6
mac-object bd mac-range 089e:084c:664d - 089e:084c:664d
mac-object bd mac-range 089e:084b:f265 - 089e:084b:f265
mac-object bd mac-range 6cad:f886:987e - 6cad:f886:987e
mac-object bd mac-range b827:eb49:7824 - b827:eb49:7824
mac-object bd mac-range b827:ebf2:88a8 - b827:ebf2:88a8
security-object SSID-withCWP security mac-white-list bypass-cwp
security-object SSID-withCWP security mac-white-list mac-object bd

Then, you have to go on your APs > Advanced Settings > Supplemental CLI

You may have to activate Supplemental CLI (Home > HiveManager Settings).

And voilà.
Photo of Irteza Rana

Irteza Rana

  • 5 Posts
  • 0 Reply Likes
thanks fabien for update.. but where can we find these hive manager settings.. i use cloud-va.aerohive.com