Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
21384
Views
12
Helpful
2
Comments

ISE 2.2+ Apple CNA (Captive Network Assistant) Mini-Browser for BYOD/Guest

Jason Kunst
Cisco Employee
Cisco Employee

on ‎01-07-2017 12:24 PM - edited on ‎05-23-2019 02:18 PM by Cisco Employee

Content

 

This document explains support for the Apple mini-browser for use in BYOD/Guest Flows using ISE 2.2. ISE has official support for Apple iOS and macOS to use with Guest and BYOD in ISE 2.2 and later. Some of these examples talk about using DNS based ACLs with your REDIRECT_ACL so be sure you WLC supports this.

CSCuv74219 CSCus61445 - DNS-based ACL does not work. The bug is fixed 8.0.121.0 and 8.2.100.0 (check other versions as well)

Cisco Wireless Controller Captive Portal Bypass Options

< 8.4 WLC code

Enable captive portal bypass for the whole controller as described in Cisco Wireless Controller Configuration Guide, Release 8.4 - WLAN Security [Cisco Wireless LAN Controller Software]. This will suppress the apple pseudo browser (Captive Network Assistant) from popping up for any WLAN on that controller. This will need to be enabled in the single SSID flow for BYOD. If this is enabled it will suppress the mini-browser for guest flows.

If you want to have seamless flow for guests using mini-browser along with BYOD on the same controller then you can use one of the following options:

  • 8.4 code will allow per WLAN captive portal bypass, see below
  • Dual SSID flow (open network for guests and employee BYOD), allows open network with mini-browser for guest/byod and then suppressed mini-browser in the BYOD flow
  • Single SSID BYOD - Use DNS based ACLs for the ACL_BYOD_REDIRECT and add URL captive.apple.com, ACL_GUEST_REDIRECT will redirect everything except for

 

8.4+ WLC code

You can have Open Guest network with no suppression (captive portal bypass disabled) of mini-browser and Single SSID network for BYOD suppressing (captive portal bypass enabled) the mini-browser.

 

Guest Access

Since we now support the mini-browser with ISE 2.2 there is no need to enable captive portal bypass on the controller. The client connects to the guest network and the mini-browser will pop and auto-login.

 

BYOD

Single SSID

For single SSID there is no change in the behavior as the client is directed to go through the flow once and understand they must launch the browser. You will want to enable captive portal bypass per the options above or use DNS

 

Resources

Comments
Ehsanreza Haghzare
Level 1
Level 1
‎02-05-2018 10:59 AM

I have a customer with same problem on ISE 2.2 , Single SSID (Flexconnect) and iOS devices are getting unsupported error .

This is 2018 , are we still need to enable captive portal bypass ? is there any other workaround for Flexconnect Single SSID?

What if I give full internet access on the redirect ACL? would that fix the issue since captive.apple.com get resolved ?

Is there any fix in ISE 2.3 ?

Sloanstar
Level 5
Level 5
‎03-26-2018 01:53 PM

No, the behavior is the same. If you are doing BYOD provisioning with a single SSID you must enable captive bypass and have the user launch Safari. My understanding for this requirement is that the mini browser does not have the appropriate system access to install a device profile.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents