Mac Lion & Safari Help
Note: If this is a new download of Lion, please download Java, this is necessary for the captive portal to function. To check that Java is enabled, follow these instructions.
Many Mac users have had problems accessing Mason’s wireless network after they have upgraded to Lion. The problem has to do with a change that Apple introduced with the Lion OS and the accompanying version of the Safari browser. This problem has affected network access for many service providers and is not isolated to Mason.
Workarounds and Solutions
1. Use a different browser than Safari
Since the problem was caused by a change in Safari, the recommendation has been to use another browser, namely Firefox or Chrome, which does not try to check the certificate provided by the secure captive portal. This has been proven to work.
2. Use an alternate browser to modify the Apple Key Chain
Export the captive portal's SSL certificate with the following steps:
Activate your wireless connection to the Mason network. Then, using either Firefox, Chrome, or a terminal window, download the certificate. The steps for each are listed below.
When you run Safari*, it will now be able to connect to the secure captive portal page.
How this modification works
This modification makes the user's computer ‘trust’ the certificate from the secure captive portal (uacwireless.gmu.edu for wireless at Mason). A procedure for doing this was found on the Stack Exchange web site and forwarded to NET by Don Whiteside from the Provost’s Office. The workaround involves using Firefox to export the certificate from uacwireless.gmu.edu and then importing the certificate into a keychain on the Mac system. We have also found a method to export the certificate using Chrome and from the command line.
Administrators of many other sites are experiencing the same problem with their secure captive portals. This problem is not isolated just to Mason's networks. This procedure will not only work for access to the SNAP network, it will also work with the certificate for non-Residence Hall users (replace uac.gmu.edu with uacwireless.gmu.edu). Additionally, it can also be used by Lion users to provide access through any secure captive portal – until Apple provides a solution to the problem they created.
Limitations of the Fix
The downside to this procedure is that if the secure captive portal certificate is compromised, the user's system will not check and will continue to trust the certificate. If this does happen, then it is likely that Mason (or the other secure captive portal site) will replace the certificate before Apple is aware of the problem. The user will again not be able to access the site via the secure captive portal and will be made aware that they will need to remove the old certificate and add the new certificate.
*A new user will also have to confirm that Java is installed and enabled on their system.
How to check to see if Java is installed and enabled:
- Open Java Preferences (Launchpad -> Utilities -> Java Preferences).
- On the General tab, just below the tabs, ‘Enable-applet-plugin’ should be checked.
Mason's wireless networks use a secure connection between the user's computer and the authentication server to protect the user's username and password. When the user's computer system tries to connect to the network, the web connection is redirected to the secure captive portal (uac.gmu.edu). The captive portal sends a certificate to the user's computer system to encrypt the connection. The new version of Safari then tries to connect to Apple's server to check to see of the certificate has been revoked, which usually opens a second window for that connection. But since access to the network has not been authenticated yet, the connection fails.