Okay I have found out some more info.
If you are using a coptive portal to get to the internet is breaks because it cannot check for the certificate revokation. If you turn off the checks that seems to work but htat is a bad idea.
What needs to be done at the portal is to make acceptions in the firewall to allow the machines to get out to whatever CRL and OSCP sites needed to verify the status or revokation of the certificates being handed out by the portal itself. If it blocks these attempts, Lion thinks it is a hijack and will not go on the net.
What I see hapening is after this, a certificate shows up in the login keychain called "unkown". Then the keychain app stops working. When you launch it you get the beachball.
Once I had our wireless networking admin add in the exceptions for our portals' certificate status (they can find them in the certificates themselves), then everything seems to work. You will of course have to go through the whole reboot to recovery mode and fix drive and permissions to get the keychain access back and delete the unkown cert.
Once that is done AND the firewall allows OSCP and CRL checks then it all seems to work as designed.
Once that is done and things work as they should remember to make sure you turn on OSCP and CRL checks. They are there for a very good reason.
By the way in my previous post I was going to try turning them off at the command line when the keychain would not load to see if it would help?
It didn't The settings were set correctly to off but once the keychain is pooched, that's it. You can connect securely to anything.
Anyone else have anyhting to add. Has anyone tried the same thing with the portal firewall?
Success? Failure?
So far this has worked throught the day. I will report back if it continues to work.