I setup a hotspot gateway to service a dozen Engenius APS for a k12 school. After completing the project as agreed, staff pointed out all users login to the network (apple) with a client, prior to gaining access to their desktop, so there is no way to have the browser open to authenticate to the hotspot at that point. Is there a way to get around this limitation, or do I need to abandon the hotspot and go another route?
We are currently using a hotspot with freeradius and open-ldap to authenticate users.
You can use the walled garden IP section to permit specific traffic even for unauthenticated users.
It is likely OpenDirectory, which shouldn’t be dependent on much more than LDAPS and Kerberos (though that is a wild guess).
However, if users are already authenticating to the network that way it might make more sense to not run an open network with a Hotspot but rather run 802.11i and authenticate against RADIUS tying into their directory services on association with the AP, and run just a guest network as a Hotspot. That’s more of a design decision than a matter of “can I somehow make a Hotspot work with this”, though.
Thanks for the response. I am not sure how to configure the preferred method right now, but should be able to use the walled garden approach. From looking at the docs, it should be as simple as this:
/ ip hotspot walled-garden ip add dst-address=x.x.x.x action=accept
That way I don’t need to worry about protocols, etc.. Since the server is secure, is this an acceptable method?