We're trying to use Office 365 authentication for the cnMaestro Guest Access Portal with our cnPilot e410 access points. I used the document found here We have it functioning, but on Windows 10, Android Phones, and Mac Laptops it takes roughly 1 minute to get the first O365 Authentication screen. IOS devices and Android tablets seem to immediately load. On the devices that don't load, the login.microsoftonline.com url starts to load, but you don't see anything in the browser for 1 minute.
I've done packet captures as well as inspecting the login.microsoftonline.com page and have added every domain that I see listed or queried through DNS, but nothing has had any affect.
Have you tried to dig into Google Dev Tools by hitting F12 or equivalent on a Mac OS laptop? That should give a bit of insight into where the delay is when you compare against say, an iOS device.
We are running cnMaestro on prem, version 2.2.0-r60 and the access point is firmware version is 3.11-r9 (I just upgraded from 3.10.3-r3 to see if it would help, and it did not).
It's multiple Android phones. The one I have in front of me is 7.0 with an April 1, 2018 security patch. The other, which is not in front of me, is 8.0.0 ODXS27.109-34-17-3-5 (I don't know if that's a Moto version # or what).
The Android tablet, which is working well, is version 7.1.1 with a November 1,2018 security patch.
Windows 10 is version 1803 build 17134.648. Somehow, on this one, I'm no longer getting the portal redirection at all in Chrome, but I am in Internet Explorer, but then extremely slow to load the Office 365 authentication page.
Mac version is 10.14.5.
I'm hesitant to post my backup here as I'm not sure if preshared keys and passwords are extractable from those files. Is there a way for me to do so without compromising security?
I used a packet capture on the Windows 10 computer to see what was going on when going through the Guest Portal, particularly paying attention to DNS queries. I found a handful of Domains, mostly seeming to be related to Microsoft's Certificate infrastructure, that once added to the Guest Access Portal Whitelist allowed things to work more as expected. The following were the additional Domains added to the whitelist:
peer4-chg.msedge.net
ocsp.msocsp.com
mscrl.microsoft.com
crl.microsoft.com
iecvlist.microsoft.com
The one remaining issue is that I now get prompted, on Android phones only. with a message that "The network you're trying to join has security issues..." as seen in the attached screenshot.
Any time an HTTPS request is intercepted it will generate an error (this is due to the nature of the HTTPS protocol and is required to keep it secure). This can't be avoided with the default configuration.
In order to aviod this you have to purchase a certificate for your on-premises cnMaestro.