It turns out I had 27 devices that this happened to yesterday (90% Apple devices). They would...
a) connect to the SSID
b) be served the splash page
c) enter their credentials
d) be told that they were connected and could now close the splash page
But if they closed the splash page, their connection was dropped and they had to repeat the process all over again.
Things I tried that did NOT work:
- I rebooted the affected devices
- I whitelisted the 'check for internet' URLs in the walled garden [captive.apple.com, msfttestconnect.net, *.gstatic.com] to prevent the splash page from being served automatically and forced the splash page to appear manually by doing an http GET request from a web browser.
- I revoked device authorization in the Dashboard and de-authorized the user on the 'splash login' page, waited 10 minutes and had the user try to sign in again
- I Changed the policy on each affected device to "blocked", waited 10 minutes for that change to propagate to all of the MRs, and then changed the device policy to "normal", waited another 10 minutes and had the user try again
- I had the user connect to an SSID that used a "click-through" splash page instead of Active Directory authentication
- I turned off "mandatory DHCP" on the SSID access control page, and set a static IP on the device using the appropriate gateway and DNS addresses.
Things I neglected to try that might have worked:
- Clear any stale session cookies from the browser cache of affected devices
- Spoof the MAC address on an affected device so the MR believes it to be a 'new' device
What ended up working for me...
I created a new open SSID with no splash page (direct access). I had the affected devices connect to that SSID and browse to a couple of different websites. Then I told those devices to 'forget' the open SSID and connect once again to the SSID with the Active Directory splash page. This time, the sign-in process completed and users could click "done" or close the splash page without losing their connection.
I have no idea why just under 10% of the devices on my wireless network suddenly had problems with the splash page, nor do I know why the 'solution' I discovered actually works. I just thought I would document my process just in case anyone ever discovers this thread while searching for solutions to a similar problem.