ted400

Q: AD bound macs not connecting to captive portal wifi

I recently took a position at an up and coming company and have quickly become the enterprise "Mac Guy", this entails personal support of our Execs and Sales department as they are our sole users of Macs in our company. We (obviously) run a domain with AD, but have no Mac Servers. The issue I am coming across is all of our Macs are laptops, and are mobile. The computers are required to be bound to our domain (we are required to be HIPAA compliant), however, when the computers go off site and have to connect to a captive portal to connect to a public WiFi (Hilton, McDonalds, Sky Lounges, etc), the connection cannot be made because the captive portal is never provided for authentication. However, if the gateway can be determined they can SOMETIMES manually enter the IP address in the address bar and get the portal. We do not force any DNS or IP addresses on any WiFi connections. Open WiFi's without a captive portal (home, other offices, etc) work fine. The big bombshell...If I unbind the computer from the domain captive portals then work just fine, and there is much rejoicing.

 

So, my issue is that we HAVE to have these computers bound to our domain if for nothing more than forcing password expiration ( I don't think AD does much more for a Mac than this anyway), and remain HIPAA compliant, but I am willing to use a different method to managing passwords if there are other options out there.

 

My ultimate questions are:

 

* Do you know WHY a bound computer would not connect to a captive portal? (I have been able to find zero information anywhere online)

 

* If it's a "bug", and I do need to unbind them, do you know if there is a way to force password resets/ manage passwords on OSX? (I am willing to consider standing up a Mac Server if necessary)

Posted on Feb 23, 2016 5:56 AM

Close

Q: AD bound macs not connecting to captive portal wifi

  • All replies
  • Helpful answers

  • by Strontium90,

    Strontium90 Strontium90 Feb 23, 2016 7:45 AM in response to ted400
    Level 5 (4,077 points)
    Servers Enterprise
    Feb 23, 2016 7:45 AM in response to ted400

    Congratulations on the new position.  And best of luck.  Macs in AD environments work very well in general.  Laptops do pose some challenges because they are almost always moving around and never reboot.  The association to AD is really all about the login window.  If you don't experience the login window, you really are not experiencing AD.

     

    * Do you know WHY a bound computer would not connect to a captive portal? (I have been able to find zero information anywhere online)

     

    I will admit, I am happy as can be that I have not experienced this issue.  I support many hundred if not more AD bound devices across a wide range of customers.  So far, no one has reported this issue.  So, any chance you have logging information at time of attempted join?  Are you network interfaces configured to use proxy?  What if you create a network location that is clean?  Do you get the same experience from a wake from sleep as you do from a reboot and login to cached credentials?

     

    * If it's a "bug", and I do need to unbind them, do you know if there is a way to force password resets/ manage passwords on OSX? (I am willing to consider standing up a Mac Server if necessary)

     

    Yes.  You can set local password policy using pwpolicy.  man pwpolicy for details.

     

    As much as I am a fan of OS X Server, an Apple server will not really help in this situation.  If you have HIPAA compliance demands, the last thing you want to do is create a second directory system just for a handful of Macs.  If you needed a Mac server, it would be best configured as a domain member to AD, ensuring your users, groups, and passwords stay in one place. 

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store