Solved: Re: Issues with Sponsored Login - MacOS

KVNNE3029 · ‎04-06-2026

Hello Everyone!

Running into a slight issue with the Sponsored Login configuration. I currently have an SSID with Sponsored Login enabled. All devices excluding anything running MacOS is having issues connecting to the captive portal. When trying to connect to the SSID, it will indicate there is an error and that you need to get closer to the AP. The only way I can get this to work is by setting the Security to Open rather than our intended Opportunistic Wireless Encryption.

Current configuration for this SSID -

Security: Opportunistic Wireless Encryption (OWE)

Splash Page: Sponsored Guest Login

Client IP and VLAN: Meraki AP Assigned (Nat mode)

Thanks!

KVNNE3029 · ‎04-13-2026

Going to close out this ticket as it looks to be a direct compatibility issue with Apple.

Opportunistic Wireless Encryption (OWE), was introduced in an effort to improve security on open networks encrypting the air model to prevent traffic snooping and other related attacks. It provides protection against passive surveillance by encrypting over-the-air traffic on unauthenticated networks. Support was added on the following devices with iOS 16, iPadOS 16.1, macOS 13 or tvOS 16, or later:

All iPhone models starting from iPhone 11 or later
All iPad models from late 2020 or later
All Mac computers from late 2020 or later
All Apple TV models starting from Apple TV 4K (1st generation) or later

Thank you everyone who replied to try and help. Appreciate this community a lot.

View solution in original post

Mark Elsen · ‎04-06-2026

- @KVNNE3029 >....there is an error
Post the full error

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

KVNNE3029 · ‎04-13-2026

Hello!
Only error we are getting is during trying to establish the connect with the MacOS device.

Apple being Apple, this seems to be the default error we would get if it is generally related to the wireless. If it helps, the AP is inches away from the laptop; not that it matters.

jstrauch-aurorium · ‎04-07-2026

I don't believe that this is really an issue. Have you checked the documentation to make sure that OWE is compatible with a Splash Page? This very well could be by design and not an issue per se.

KVNNE3029 · ‎04-13-2026

We did have a conversation with a tech who did indicate that OWE works with Sponsored Guest Login.

It does work with everything else other than MacOS.

jstrauch-aurorium · ‎04-07-2026

Yes, wireless OWE (Opportunistic Wireless Encryption) works with a splash page in Meraki, providing both encrypted traffic and guest portal access (click-through or sign-on). OWE provides encryption for the air-gap (WPA3 protection), while the Meraki splash page (configured in Access Control) provides user authentication or policy acceptance.

Meraki Community +4

Key Considerations:

Support: OWE/WPA3 support must be supported on client devices, although they see it as an open network.
Setup: Configure the SSID with Open (no encryption) -> OWE and enable the Splash page (Click-through or RADIUS sign-on).
Walled Garden: Ensure proper walled garden entries are set if using a sign-on splash page to allow initial authentication traffic.
Best Practice: OWE is recommended over traditional open networks to provide privacy in public settings.

Meraki Community +4

Rich R · ‎04-07-2026

@jstrauch-aurorium you've provided 2 replies which contradict each other - do you maybe want to think about deleting the first one?
And the second one looks like it's taken straight from an AI chatbot! And what's the "Meraki Community +4" repeated above and below your bullet points about?

OWE provides WPA3 encryption for the wireless traffic over the air (albeit not as secure as PSK/802.1x), splash page provides interactive login capability - 2 completely separate functions.

@KVNNE3029 what exactly are the devices which cannot connect? What OS and version, and do the network cards and drivers support WPA3 (make sure drivers are up to date)?
As Marc said please provide detail on the exact error - maybe a screenshot?
What do logs on dashboard show?
What model of AP?
Is the AP firmware up to date (what version is it running)?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jstrauch-aurorium · ‎04-08-2026

@Rich R

Setup: Configure the SSID with Open (no encryption) -> OWE and enable the Splash page (Click-through or RADIUS sign-on).
The reason I posted this was because it sounds like Yes OWE would work but only with a Splash Page of Click-through or RADIUS sign-on which was not the setup the original poster said he used. Thus it was a suggestion to try one of those Splash pages and see if it works.

If you know for a fact that it would work with a sponsored guest splash page, then post the configuration you used to get it to work and let the community see how it was supposed to be done.

joey.debra · ‎04-09-2026

Can you confirm your devices have an IP address but just don't get through?
The most common issue with captive portals is that some vendors (Android, Windows and Apple) need some walled garden URL's so they can open the testpage to trigger a redirect to the splash page.

KVNNE3029 · ‎04-13-2026

Apologies for the delay!

I was not in office last week and was not able to get back to everyone.

We are getting the following error. Mind you, this is ONLY happening to MacOS devices. We have tried devices on Ventura, Sonoma, and my own laptop running on Sequoia.

It gets this error, and no establishment to the network happens, so no IP address assigned.

Looking at the table, OWE should be working with Sponsored Guest Login so we wanted to utilize it for encryption purposes.

Once we change the settings over to Open with Sponsored Guest Login, it works with no issues. I assume this might just have to do with the way MacOS processes the captive portal option, but wanted to see if others have experienced this issue and if there is a resolution of sorts.

MarcP829 · ‎04-10-2026

Sometimes have got the same problem with any devices.

Just try open http://www.google.de not https - works 99% of the times for us.

jstrauch-aurorium · ‎04-13-2026

Out of curiosity, what has Meraki Support said about this issue?

KVNNE3029 · ‎04-13-2026

Meraki Support indicated OWE is supported with Sponsored Guest Login and should work as is.

I actually posted in a chat with some other Sysadmins and looks like this is a common issue and is a compatibility issue with MacOS devices based on hardware. Looks like it depends on the hardware and device that can support OWE. I am going to see if I can test on a MacBook running the latest chipset to see if we may run into any issues.

KVNNE3029 · ‎04-13-2026

Going to close out this ticket as it looks to be a direct compatibility issue with Apple.

Opportunistic Wireless Encryption (OWE), was introduced in an effort to improve security on open networks encrypting the air model to prevent traffic snooping and other related attacks. It provides protection against passive surveillance by encrypting over-the-air traffic on unauthenticated networks. Support was added on the following devices with iOS 16, iPadOS 16.1, macOS 13 or tvOS 16, or later:

All iPhone models starting from iPhone 11 or later
All iPad models from late 2020 or later
All Mac computers from late 2020 or later
All Apple TV models starting from Apple TV 4K (1st generation) or later

Thank you everyone who replied to try and help. Appreciate this community a lot.

Rich R · ‎04-19-2026

Yes this will almost certainly be a bug on the AP or MacOS so could be fixed in a later release of either.
You'll need an over the air (OTA) packet capture to see which side is at fault.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390