topic Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114 in Network Access Control

Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Sat, 30 Nov 2024 13:15:40 GMT

Hello, does Cisco ISE solution work with Captive Portal Detection Option 114 to modernise the Captive Portal Detection process on Apple iOS Devices that support iOS 14+ see below Apple article:

https://developer.apple.com/news/?id=q78sq5rv

On the Cisco Meraki support pages,

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_with_Cisco_ISE

Disabling CNA will require that users manually open their web browser before being presented with the splash page. Applications on the user's device that require Internet connectivity will not function as expected until the user has opened their web browser and completed authentication via the splash page. If your network contains Apple devices running iOS 14/macOS Big Sur and newer operating systems , DHCP option 114 can be leveraged instead of Apple's legacy Captive Portal networks. For additional info, please see Apple's How to modernize your captive networkdocumentation.

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Sat, 30 Nov 2024 13:16:26 GMT

One of the reasons for asking is that I am finding the Captive Portal Detection process to be rather slow, taking around 10 seconds.

This is using the traditional method of the HTTP GET request sent form the Apple iOS Device to

http://captive.apple.com/hotspot-detect.html

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Sat, 30 Nov 2024 13:18:54 GMT

I failed to see this as an ISE feature. I would see this as a DHCP server / Client feature. When it comes to guest portal, the ISE will act as a web site where you hit, you present your credentials, the credential is validate against some kind of checker and the access is granted or denied.

The option 114, therefore, happened way before all this process. In guest network, first the client gets the IP address and later it will be authenticated.

As I could read on the documentation, this is just a faster way to receive the Guest portal URL instead using the traditional intercept method used so far for Wireless Controller.

2.  The Captive-Portal Option

   The Captive-Portal DHCP/RA Option informs the client that it may be
   behind a captive portal and provides the URI to access an API as
   defined by [RFC8908]"

@Flavio Miranda Thank you for your reply. I understand this is a DHCP Option and not ISE Specific. However, the DHCP Option needs to point to a URI. We know that URI for Cisco ISE is dynamic and contains the session ID.

My question is if anyone has got it DHCP Option 114 to work with Cisco ISE Central Web Auth?

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

MHM Cisco World — Sat, 30 Nov 2024 13:18:57 GMT

why you not add op114 to DHCP ?

MHM

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Sat, 30 Nov 2024 13:30:31 GMT

Well, you add the Option 114 DHCP String but it must point to a JSON API, there is a question of where this should be hosted.

Then, another question as to what the string should contain as the user portal URL is dynamic based on session ID.

{ "captive": true, "user-portal-url": "https://example.org/portal.html" }

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

Flavio Miranda — Sat, 30 Nov 2024 13:43:06 GMT

Thats make It a totally different question. But make Sense now.

Since the WLC manage the portal intercept for traditional guest portal, I would say the WLC should handle this. I dont see any Cisco WLC handlng this option.

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

MHM Cisco World — Sat, 30 Nov 2024 13:44:46 GMT

I think op114 must include the portal of ISE
MHM

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Sat, 11 Jan 2025 11:33:42 GMT

Hello, any updates on this one?

I am keen to improve the Captive Portal detection process, using Option 114 looks to be a good way of doing this.

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Mon, 28 Jul 2025 14:01:26 GMT

Hello,

A message to bring the thread back up to the top incase of any new updates.

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

JPavonM — Mon, 02 Mar 2026 12:00:40 GMT

Maybe a good question for TAC, but in the IETF documentation I see that option 114 must be the URI of the ISE so, would that be company URI for the portal like https://guestportal.company.com:443, or something with the WLC format where the association ID is sent to ISE?

Re: Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter — Fri, 06 Mar 2026 11:30:38 GMT

I raised a 'wish' within Cisco ISE.

Additionally, I found that a Cisco feature request has already been raised for this;

Need to use the JSON API on ISE to redirect the client using chrome browser. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd24573

However, it's not possible given the dynamic nature of the URL.

To provide a comprehensive understanding of the request to support DHCP Option 114 with ISE, here's an explanation:

How ISE Does WebAuth and Captive Portal:
1. Device Connects to Network:
* The device connects to the Wi-Fi network
2. Authentication Request Sent to ISE:
* The device sends an authentication request to ISE via the NAD
3. ISE Processes Request:
* ISE evaluates the request and determines the appropriate policy
4. ISE Sends RADIUS Access-Accept:
* If required, ISE sends a RADIUS Access-Accept message with a unique captive portal URL for the session
5. Device Redirected by NAD:
* NAD redirects HTTP traffic to the ISE captive portal using the URL provided
6. User Authentication:
* The user authenticates on the ISE-hosted captive portal
7. Authorization and Network Access:
* ISE applies the authorization policy and grants network access

How DHCP Option 114 Works:
1. Device Connects to Network:
* The device connects to the Wi-Fi network.
2. DHCP Server Provides IP and URL:
* DHCP server provides the IP address and a static captive portal URL via DHCP Option 114.
3. Device Redirects to Captive Portal:
* The device uses the URL to redirect to the captive portal.

Why DHCP Option 114 does not Work with ISE:
1. Dynamic vs. Static URLs:
* ISE generates unique, session-specific URLs for each authentication session.
* DHCP Option 114 gets configured with a static URL, which cannot accommodate the dynamic nature of ISE URLs.
2. Session Management:
* ISE's session management requires unique URLs to track individual device sessions and ensure secure authentication.
* A static URL from DHCP Option 114 cannot fulfill this requirement.

Given these constraints, integrating DHCP Option 114 with ISE for WebAuth and captive portal redirection is not feasible. The recommended approach is to continue using RADIUS-based redirection with ACLs for HTTP traffic to ensure proper session management and secure authentication.