IWA with Guest Wifi Network Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0hniak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Tom FreemantleTom Freemantle 

IWA with Guest Wifi Network

Hi,

We have come across a problem in a few different Okta setups now where they have IWA configured.  If the guest wifi network gets NATed through the same external IP as the internal network, then laptops will not be able to log into Okta.  Mobile devices are fine becasue Okta can detact them and not redirect.  Laptops on the internal wifi are fine as they can reach the IWA agents.  The problem is for partners who are trying to reach Okta protected applications while on site and there for using the wifi.

I've had a couple of ideas on how to fix this but none of them are 100% desirable.
  • Change the NAT'd IP for the guest network to not match the internal network - This isn't always possible.
  • Have the DNS on the guest network direct https://desktopsso/iwa to another web server that redirects to https://company.okta.com/login/default - needs split DNS and a web server to maintain
  • Allow access from the guest network to the IWA server and add this change so they get a forms login page: https://support.okta.com/help/blogdetail?id=a67F0000000XZhfIAG - This is not always allowed by the network guys
Does anyone have any better ideas?  I'm sure there are better ways of doing this.

Thanks,
Tom
Okta AdminOkta Admin
This is a very good question as we have the same type setup and issue
Parth SwadasParth Swadas
We have similar issue. Since guests are connected to external network, they never reach internal IWA server.

/Parth
Eric StermerEric Stermer
Has there been any resolution to this?  I have the same issue and article, https://support.okta.com/help/blogdetail?id=a67F0000000XZhfIAG, is fairly old and references some changes that should have been completed by now.
Mike SweeneyMike Sweeney
Posting to say same issue here. It would be nice to have the ability in app authentication policies to say "if User/group=x, then athenicate via=loginpage, IWA, or etc..)
Jeremiah MillerJeremiah Miller
We have the exact same issue and so far do not have any good way to address this. We had to turn off desktop SSO because of issues with our guest networks. I wish Okta would give this issue more attention.
Clay RomeiserClay Romeiser
We have this problem too.  Over 100 locations now need a different IP for our guest wifi - and some can only have one.  I'd like to see the public DNS for our IWA server point back to Okta. A cookie could be dropped on the browser before redirect and if there when they end up back at Okta, it could tell them what's going on. (customer/destination, etc)
Bradford BoyleBradford Boyle
Adding to the thread.  100 sites, 100 internal LAN's that work great.  100 guest wifi's SSIDs that route out through the same Public IP.  They cannot authenticate to the IWA and it times out.  Maybe a timeout of 5 seconds, would say, I clearly can't connect to IWA, let's authenticate as off-net with MFA.
Fabio GrassoFabio Grasso
I have the same problem, I've solved with the solution 2 (
Have the DNS on the guest network direct https://desktopsso/iwa to another web server that redirects to https://company.okta.com/login/default - needs split DNS and a web server to maintain) but it's not the best and I hope that Okta will improve the javascript logic in order to handle case like this