Hi Tyler, 

1. OWE is part of WPA3 authentication which requires client devices to use data encryption upon associating to the AP.

2. After association the client will be redirected to the AD Logon Splash Page where they will have to enter a username and password to authenticate to the AD server.

3. The client will enter their username and password. The AP will receive that information and then send that off to your server.

4. Your server will accept or deny the credentials. If denied the server will indicate that to the AP and the AP will deny you access to the network. If your credentials are accepted your server will send a message to the AP telling it to allow you into the network. 

5. If you have your captive portal strength set to "block all access until sign-on is complete" then until users complete their sign-on they will not be allowed to access anything in the network (save for what is in your walled garden).

Additional Resources: 

802.11 Process Explained - Note: If WPA/WPA2 or 802.1X authentication is required on the wireless network, the mobile station will not be able to send data until dynamic keying and authentication have taken place after the 802.11 Association is complete.

In our documentation we state the following, "To associate to a wireless network, a client must have the correct encryption keys (association requirements). Once associated the wireless client may need to enter information (network sign-on method) before accessing resources on the wireless network."

More on OWE from our documentation.

Hopefully this answers your question 🙂