Guest Access Portal Office 365 authentication

Products cnMaestro
1

We're trying to use Office 365 authentication for the cnMaestro Guest Access Portal with our cnPilot e410 access points.  I used the document found here We have it functioning, but on Windows 10, Android Phones, and Mac Laptops it takes roughly 1 minute to get the first O365 Authentication screen.  IOS devices and Android tablets seem to immediately load.  On the devices that don't load, the login.microsoftonline.com url starts to load, but you don't see anything in the browser for 1 minute.

I've done packet captures as well as inspecting the login.microsoftonline.com page and have added every domain that I see listed or queried through DNS, but nothing has had any affect.

Any thoughts?

2

Have you tried to dig into Google Dev Tools by hitting F12 or equivalent on a Mac OS laptop? That should give a bit of insight into where the delay is when you compare against say, an iOS device.

3

Hi jhh, 

We would require below mentioned details to proceed further, 

1. Are you using cnMaestro on premises or Cloud and what is the firmware version?

2. We would like to know the Android phone, MAC laptop's version and Browser's version.

3. We would like you to do inspect from the browser. 

4. Kindly send us the configuration backup of NOC. If you are using cloud, kindly invite as a super admin.

Thanks

Raja M

4

We are running cnMaestro on prem, version 2.2.0-r60 and the access point is firmware version is 3.11-r9 (I just upgraded from 3.10.3-r3 to see if it would help, and it did not).

It's multiple Android phones.  The one I have in front of me is 7.0 with an April 1, 2018 security patch.  The other, which is not in front of me, is 8.0.0 ODXS27.109-34-17-3-5 (I don't know if that's a Moto version # or what).

The Android tablet, which is working well, is version 7.1.1 with a November 1,2018 security patch.

Windows 10 is version 1803 build 17134.648.  Somehow, on this one, I'm no longer getting the portal redirection at all in Chrome, but I am in Internet Explorer, but then extremely slow to load the Office 365 authentication page.

Mac version is 10.14.5.

I'm hesitant to post my backup here as I'm not sure if preshared keys and passwords are extractable from those files.  Is there a way for me to do so without compromising security?

5

I've had some success with this.

I used a packet capture on the Windows 10 computer to see what was going on when going through the Guest Portal, particularly paying attention to DNS queries.  I found a handful of Domains, mostly seeming to be related to Microsoft's Certificate infrastructure, that once added to the Guest Access Portal Whitelist allowed things to work more as expected.  The following were the additional Domains added to the whitelist:

peer4-chg.msedge.net
 
ocsp.msocsp.com
 
mscrl.microsoft.com
 
crl.microsoft.com
 
iecvlist.microsoft.com
 
The one remaining issue is that I now get prompted, on Android phones only. with a message that "The network you're trying to join has security issues..." as seen in the attached screenshot.
6

Hi Jhh,

Any time an HTTPS request is intercepted it will generate an error (this is due to the nature of the HTTPS protocol and is required to keep it secure). This can't be avoided with the default configuration.

In order to aviod this you have to purchase a certificate for your on-premises cnMaestro.

Thanks

Raja M

7

I have, and have put the certificate on cnMaestro, days ago.  If it was a certificate issue I'd see the issue on more than Android phones.

8

Hi Jhh,

I believe you have disabled Bypass captive portal detection.

We are receiving this error due to the default browser in android mobile phones. 

We would not receive this error if we open the browser manually and open any http URL.

Kindly whitelist aaq0175.my.centrify.com also.

Thanks

Raja M