topic Re: Guest access - Redirection issue on ios16 in Network Access Control

Guest access - Redirection issue on ios16

Tariq Mahmoud — Tue, 25 Apr 2023 06:44:23 GMT

Hello all,

We have an issue with ios16 where guest access is not working due to failures at the redirection phase. This issue happens only with iPhone while it's working totally fine with Windows or Androids.

After some checking and troubleshooting we found that there is a behavior change starting from ios16 to use public DNS servers instead of the private ones. This is mentioned here:

https://community.arubanetworks.com/discussion/apple-ios-devices-not-open-captive-portal-login-page-automatically
https://developer.apple.com/forums/thread/715416

We already had a case with Cisco TAC but they ended up recommending us to reach for Apple support since this is an iPhone issue and ask for a fix but this seems like a dead end to me.
I was wondering if anyone else faced this issue? and the recommended way to fix it?

Best regards,
Tariq

Re: Guest access - Redirection issue on ios16

ahollifield — Tue, 25 Apr 2023 22:42:14 GMT

Why not just allow DNS to any server? Or am I misunderstanding something here?

Re: Guest access - Redirection issue on ios16

Mohammed al Baqari — Wed, 26 Apr 2023 01:42:59 GMT

Hi, can u explain further how the DNS bug is impacting your redirection. In
theory you shouldn't set internal and external DNS in your dhcp options.
Only point to internet DNS with HA and that is set to DNS forwarder.

Re: Guest access - Redirection issue on ios16

Tariq Mahmoud — Wed, 26 Apr 2023 14:20:27 GMT

DNS traffic is already allowed in the redirect ACL if that's what you are asking for. However, if endpoints want to reach ISE captive portal, they should query the internal DNS so that they can reach ISE.
What we have seen with ios16 is that it ignores the local DNS and always go for the public DNS server and captive.apple.com and hence have no idea about the captive portal of our ISE setup.

Re: Guest access - Redirection issue on ios16

ahollifield — Fri, 28 Apr 2023 03:23:58 GMT

But why are you exposing internal name space to guest users? Also not really a best practice to expose internal DNS server (most often also a domain controller) to untrusted guest endpoints. Why not deploy a dedicated ISE guest node in a protected DMZ on public name space. Or configure a second NIC on an ISE node to service guests with a public FQDN?

Re: Guest access - Redirection issue on ios16

Dustin Anderson — Fri, 28 Apr 2023 13:41:22 GMT

personally, I just added ISE to our external DNS but with the internal IP address so they get to the portal. Our guest is behind a firewall, but can be allowed to talk to out ISE servers on the ports for the portals.

Re: Guest access - Redirection issue on ios16

Tariq Mahmoud — Thu, 03 Aug 2023 01:14:41 GMT

We have restarted the wireless controller and after that the issue got fixed. We haven't seen the issue again for a while now and all works fine.

Re: Guest access - Redirection issue on ios16

hakheman — Fri, 04 Aug 2023 19:02:31 GMT

What was your controller and ISE version?

Re: Guest access - Redirection issue on ios16

Tariq Mahmoud — Sun, 06 Aug 2023 12:33:15 GMT

WLC is 8.10 (foreign/anchor setup) and ISE is 3.1.

Based on my observations, it could be that the configurations were not active for some reason. What I did was configuring the SSID from scratch, then reloaded the WLC and after that all worked fine on iphone.