https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776058#M486472 Yes likely the Apple Captive network assistant is not liking the self signed cert.<BR /><BR />I recommend reviewing the guest guide under http:://cs.co/ise-guest&lt;&gt;<BR /><BR />And also enabling captive portal bypass on the controller to suppress the CNA so the regular browser is used<BR /><A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html</A><BR /><BR /><BR />Look for Captive Portal Bypass<BR /><BR />Information About Captive Bypassing<BR /><BR />Long term you will want to allow users to have a seamless flow and disabling it<BR /> Wed, 09 Jan 2019 13:47:43 GMT Jason Kunst 2019-01-09T13:47:43Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3775980#M486469 <P>Hello,</P> <P>I have configured ISE 2.4 to create wifi hotspots and self registration access. We user a WLC 2504 controller software version 8.5.</P> <P>Everything works fine with windows devices and android devices which get correctly redirected to ISE portal pages. However, with the iphone we get errors. The phone connects to the ssid but then gives an error as below:</P> <P>&nbsp;</P> <P>Error Opening Page - "Hotspot login cannot open the page because the server cannot be found". I believe this is trying to go to captive.apple.com. My redirect ACL on the WLC allows access to DNS and also to the ISE server. Do I need to add access to captive.apple.com in the ACL?</P> <P>&nbsp;</P> <P>Another point is that the ise server has a certificate signed by a CA that is not a publicly trusted CA. I have added the root CA to my trusted certs on the iphone but still the same issue. I have also enabled <STRONG>web-auth captive-bypass </STRONG>and rebooted the WLC but still the same issues.</P> <P>&nbsp;</P> <P>Any help would be great.</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>Nick</P> <P>&nbsp;</P> Wed, 09 Jan 2019 12:23:42 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3775980#M486469 n-russell-biggie 2019-01-09T12:23:42Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776058#M486472 Yes likely the Apple Captive network assistant is not liking the self signed cert.<BR /><BR />I recommend reviewing the guest guide under http:://cs.co/ise-guest&lt;&gt;<BR /><BR />And also enabling captive portal bypass on the controller to suppress the CNA so the regular browser is used<BR /><A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html</A><BR /><BR /><BR />Look for Captive Portal Bypass<BR /><BR />Information About Captive Bypassing<BR /><BR />Long term you will want to allow users to have a seamless flow and disabling it<BR /> Wed, 09 Jan 2019 13:47:43 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776058#M486472 Jason Kunst 2019-01-09T13:47:43Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776082#M486473 <P>Many thanks Jason,</P> <P>I have enabled captive bypass on the WLC. I am able to get a step further, so obviously I do not get automatically redirected to ise, however when I open a browser I do get redirected to ISE but that is as far as I can get as it tells me there is an issue with he certificate. I do not get the option to trust or add the certificate for ISE so I get stuck here.</P> <P>&nbsp;</P> <P>The domain name is xxxxxxx.local. I have read somewhere that iphones do not like a .local domain.</P> <P>Any other help would be great.</P> <P>Thanks</P> <P>Nick</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 09 Jan 2019 14:18:55 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776082#M486473 n-russell-biggie 2019-01-09T14:18:55Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776094#M486474 Correct Apple doesn’t like that. Would recommend trying something else. We use a fake domain like securitydemo.net. And a well known cert, otherwise Apple devices won’t go through BYOD flow as well. This isn’t an ise issue. <BR /> Wed, 09 Jan 2019 14:30:43 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776094#M486474 Jason Kunst 2019-01-09T14:30:43Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776131#M486475 <P>Thats great, thanks Jason. I will give this a try and let you know how I got on.</P> <P>&nbsp;</P> <P>Cheers</P> <P>Nick</P> <P>&nbsp;</P> Wed, 09 Jan 2019 14:56:07 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3776131#M486475 n-russell-biggie 2019-01-09T14:56:07Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3901741#M486476 <P>Hi Russell, can I ask what the results of your testing were?</P> Thu, 01 Aug 2019 21:41:06 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3901741#M486476 briankk1582 2019-08-01T21:41:06Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3911024#M486477 thanks please let me know Tue, 20 Aug 2019 17:24:11 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3911024#M486477 Jason Kunst 2019-08-20T17:24:11Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3991938#M486478 <P>Hi Jason,</P><P>&nbsp;</P><P>i facing same issue, i try to change certificate selfsigned using xxx.com</P><P>the result, still same in apple device. " hotspot login cannot open the page because the server cannot be found "</P><P>i try to using browser its working normally.</P><P>&nbsp;</P><P>is there any advice ?</P><P>&nbsp;</P><P>thanks</P> Mon, 02 Dec 2019 09:30:45 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3991938#M486478 ganiabdullahgenderang 2019-12-02T09:30:45Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3992002#M486479 Are you saying you’re using self signed certificate?<BR /><BR />Apple captive network browser assistant doesn’t like that likely<BR /> Mon, 02 Dec 2019 11:43:38 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3992002#M486479 Jason Kunst 2019-12-02T11:43:38Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3992090#M486480 hi Jason,<BR /><BR />yes, i am using selfsigned certificate.<BR />earlier everything running well.<BR />and now apple device cannot using CNA.<BR /><BR />so, we need using public certificate ?<BR /><BR />thanks Mon, 02 Dec 2019 14:15:19 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3992090#M486480 ganiabdullahgenderang 2019-12-02T14:15:19Z https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3992242#M486481 that's correct, self-signed certificate is not supported in the guest flow for production as many browsers have issues with them<BR /><BR />check out guest guide<BR /><A href="https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475" target="_blank">https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475</A><BR />and certificate guide<BR /><A href="https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897" target="_blank">https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897</A> Mon, 02 Dec 2019 17:41:31 GMT https://community.cisco.com/t5/network-access-control/issues-with-ise-hotspot-and-self-registration-portals-with-apple/m-p/3992242#M486481 Jason Kunst 2019-12-02T17:41:31Z