topic Re: javascript to bind two guest portals into one experiencing problems on Apple Devices in Network Access Control

javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar — Wed, 05 Sep 2018 14:54:54 GMT

Has anyone had any experience with binding two portals into one guest portal using javascript and faced issues on iPad/iPhone,MAC ?

I have embedded the below script into the landing captive portal page which is a self registration guest portal.

There is a button embedded which when clicked redirects the user to a separate guest portal where users can authenticate using their AD credentials - kind of BYOD.

Initially the second portal which runs the BYOD guest portal ran on port 8455. If we make a change to move the second port to 8443 then that button does not work as expected eventually rendering it not-clickable. Windows work fine.

We are trying to troubleshoot at the browser level using developer tools but found no luck. It looks like the iOS does not like changing ports too often due to security reasons etc. Its seen on Apple CNA, Safari and Chrome. Sometimes after rebooting, clearing cache issue goes away but comes back again.

If anyone experienced such behaviour I would appreciate some pointers or info on it.

Thanks

<script>

 

jQuery(window).ready(function() {

 

var hostname = window.location.hostname;

 

var WebSessionId = window.location.href.substr(window.location.href.search("\\?")).split("=")[2];

 

jQuery('.cisco-ise-body').append(' <center><a href="https://'+hostname+':8445/portal/PortalSetup.action?portal=bcdac262-a4b1-11e8-a7e6-0050569e539f&sessionId='+WebSessionId+'&action=cwa" style="color: rgb(0,255,0)"><font color="212121"><button type="submit"> Employee Login</button></font></a></center>');

 

});

 

</script><br _moz_editor_bogus_node="TRUE" />

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

paul — Thu, 06 Sep 2018 12:00:52 GMT

Did you check out this link:

https://community.cisco.com/t5/security-documents/ise-hotspot-portal-with-links-to-employee-or-vendor-portals/ta-p/3643513

Although, I saw at the bottom of the original thread someone said there was a problem with iPhones.

Do you really need to send the AD users through a BYOD flow though? Natively, the self-registration portal support AD login and the AD users are mapped to their own guest type. So you have control of exactly what endpoint identity group their MACs get put into and how often you purge that group.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

kvenkata1 — Thu, 06 Sep 2018 18:14:07 GMT

Of course the obvious questions - Why was the port changed? Can you stick with what works? I have come up empty so far as to what is the reason, as ISE doesn't really care what port is used. You need to base your decision on what works in your environment. I have requested our scripting expert to take a look. Stay tuned.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

Jason Kunst — Thu, 06 Sep 2018 18:30:27 GMT

You can also send them through BYOD another way. Disable BYOD on the guest portal. Have the user log in to the portal and then they are identified as part of a certain group. in your authorization rule if the group is equal to a BYOD group then redirect them to the BYOD (NSP) page for onboarding

Some examples

if MAB and guestendpointMACgroup permit access
if MAB and ADgroupX then redirect to NSP
if MAB and guestflow permit access
if MAB then redirect to guest portal

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

Jason Kunst — Thu, 06 Sep 2018 18:31:50 GMT

I agree. Why is it necessary to change ports? If some browsers work and some don't then maybe there is another way to do it. We will ask the developers but this is something advanced that might be hard to support with this workaround. Would be go to get your needs to our Product managers through the sales channel as well

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar — Thu, 06 Sep 2018 21:06:56 GMT

Jason thanks for the suggestion.
The design was already in place and agreed upon by previous engineers and hence out of my current scope.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar — Thu, 06 Sep 2018 21:08:23 GMT

We are using the same script in the link.
As I said in my previous post , questioning the design is out of my scope currently.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

Jason Kunst — Thu, 06 Sep 2018 21:11:30 GMT

OK not sure how to help otherwise. I provided some information and you can provide that to them.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar — Thu, 06 Sep 2018 21:20:50 GMT

So we had a setup like below when I first came in.

Guest Portal - 8443

BYOD portal linked to Guest Portal - 8445

Sponsor Portal - 8445

All had same cert group - guest.

Now sponsor portal needed a separate port because it needs a separate cert as guest cert was lacking sponsor FQDN in its SAN. I guess ISE has a limitation of not allowing different certs to portals running on same ports.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva84197/?rfs=iqvred

Hence we needed to segregate the ports so that sponsor and guest portals each have their owns separate cert.

Yesterday we reverted the changes and moved BYOD portal back to 8445 and moved Sponsor portal to 8446 and is everything is working as expected. We maybe needed to improve the javascript.

Somehow Apple devices did not like the change any other port other than 8445 for BYOD.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar — Thu, 06 Sep 2018 21:33:16 GMT

Thanks Jason. There was no time to troubleshoot it further and after reverting changes everything is working.
I have no idea why Apple dint like 8443 and windows/blackberry was absolutely working fine.
I tried to recreate the issue in my lab but couldn't and Apple devices respected all port changes.
Maybe the IOS in their environment dint like us changing ports and prevented going there due to some anti-phishing mechanism etc.

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

kvenkata1 — Fri, 07 Sep 2018 15:18:19 GMT

Our scripting expert said the issue was investigated before & the result came back as Apple browser doesn't like port change. You may have to avoid port change & workaround.

- Krish

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar — Mon, 10 Sep 2018 14:10:00 GMT

Thanks - sorry for late response. I am not getting email notification for responses on this thread.

That's what we thought that Apple does not like port changes.

Was your scripting expert able to find any documentation or guideline from Apple regarding this ?

Re: javascript to bind two guest portals into one experiencing problems on Apple Devices

kvenkata1 — Mon, 10 Sep 2018 15:10:38 GMT

No. This was investigated a year ago.

- Krish