I need to somehow get past the Apple CNA (Captive Network Assistant) for hotspot.
The CNA still needs to popup w/o giving internet access. Need to trick the CNA to
think its online but still be restricted so user authentication can be processed externally
before given full access.

Anyone got an idea for this challenge?

Thanks

You are trying to do opposite things. Why?

The CNA browser has limited functionality. For our external authentication process; we need the users to download and install a file.
Unfortunately, the CNA browser can not download files. The CNA provides a nice seamless intuitive user experience that we want to keep,
rather then adding captive.apple.com to the walled garden access list; which in consequence would bypass the CNA window.

Alas, I did find a solution, but it is not so elegant and I am not happy with my solution.

How about moving a client from one hotspot to another after login? or moving a client to a different subnet after login...?
Also or, change/add to vlan after hotspot logiN?
Open to better solutions...

Curious. What was your inelegant solution?

Some slight of hand so to speak. Let them login passively and allow the CNA to do its remediation; then force them off and redirect them to external auth page where they can complete the registration process. All is transparent to the user. Using CNA web browser detection as well to make logic decision for action forward..

That is about it.

Also, figured out how to move them from one hotspot to another internally on the same server.. what is the benefit of this you might ask? Can force the user on to different subnets etc...

we need the users to download and install a file.

maybe you don't need hotspot ? sounds like some kind of secure organization. how about using iOS profiles ?

It is a BYOD (bring your own device) environment and we are not allowed to modify any of the BYOD devices; we have virtually no control over them, so unfortunately we can not setup iOS profiles. Otherwise, yes that would be a great solution.

How about using the Trial feature? It gives the user a very limited amount of online time, then logs them out and then gives only the login/pass option:
https://wiki.mikrotik.com/wiki/Manual:I ... ot/Profile

That is a good idea, and should effectively do the same thing, but cleaner w/o having to muck around with markup. Just need to set the trial to the right time window for CNA completion.

Thanks for that, Normis.

Hi Cyan,
We a a similar use case and was viewing this thread, Can you kindly shed more light on the following questions:
What do you need to let them log passively?
and also how do you push a user from one hotspot to another internally on the same server?

Thanks
Joseph