topic Re: Android users not getting redirected to ISE captive portal in Wireless

Android users not getting redirected to ISE captive portal

tmnetsec — Fri, 05 May 2023 09:52:07 GMT

We have recently deployed a wireless guest CWA solution that involves 9800 WLCs, ISE and Checkpoint firewalls. Our topology is

Guest VLAN 100 ->AP->Primary WLC<via mobility>Anchor WLC<>Checkpoint Int4.100 (VLAN interface)

ISE<>Checkpoint Int5

Android users are getting a dhcp IP but are not getting redirected to the ISE portal for guest registration. The issue observed is that the Checkpoint sends a broadcast requesting the IP of the android mac address and does not get a response back from the android. The arp entry on the Checkpoint shows as 'Incomplete' and is eventually removed from the arp cache as the android does not respond to this request. Disabling randomized mac address feature on the android sometimes helps and the user gets the ISE portal, but this is not always the case.

The ISE logs show that it issues the redirect ACL and an essential license is consumed. The guest vlan DHCP scope was configured on the anchor WLC and was later moved to the Checkpoint but the issue persisted.

Other devices like Apple devices, laptops, etc get the captive portal and can connect fine. Out of ideas at the moment.

Re: Android users not getting redirected to ISE captive portal

tmnetsec — Fri, 05 May 2023 14:16:00 GMT

Packet capture on the Checkpoint and the Anchor WLC show the following multiple entries indicating that the android is not replying ARP broadcast from Checkpoint

172.16.157.252 is the DHCP IP assigned to the android & 172.16.157.3 is the Checkpoint gateway.

Show arp command on Checkpoint, which eventually times out as there is no response from the android.

Re: Android users not getting redirected to ISE captive portal

Rich R — Fri, 05 May 2023 15:27:47 GMT

What model of 9800?
What version of software?

Have you looked at the ARP proxy feature?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_arp_proxy.html

Re: Android users not getting redirected to ISE captive portal

tmnetsec — Fri, 05 May 2023 15:40:04 GMT

Foreign WLC is 9800-40 and Anchor WLC is 9800-L. Both running 17.3.6

Yes, I have the arp proxy feature enabled.

Re: Android users not getting redirected to ISE captive portal

Rich R — Fri, 05 May 2023 16:25:59 GMT

I should also have asked what model of AP?

- The wave 2 AP bugs (see Leo's list below) are mostly supposed to be resolved in 17.3.6. Do you also have all the 17.3.6 APSP's installed (if not you should)? 17.3.7 (which includes all the APSP fixes) is also out now but ...
- I'm a bit dubious about all the strange problems like this which people report in 17.3. We never used it - we couldn't go live till 17.6 (needs features which only came after 17.3) and have been on that and 17.9 since and quite stable. 17.3 is now approaching end of life so it might be a good idea to start planning upgrade to 17.6.5 or 17.9.3 anyway and if you're lucky it might even resolve your issue otherwise I think you're heading for a TAC case.

Re: Android users not getting redirected to ISE captive portal

tmnetsec — Tue, 09 May 2023 08:12:19 GMT

Hi Richard - The AP's are 9130AXE running the 17.3.6.76 code.

Re: Android users not getting redirected to ISE captive portal

tmnetsec — Tue, 09 May 2023 08:24:07 GMT

I have found a workaround. From the android phone's chrome browser, if I manually type the IP address of the Checkpoint (gateway IP), the Checkpoint learns the mac address of the android and then the ISE's portal page opens up in a new window.

Thinking this could be the android phones as the Apple and Windows device can connect without any issues. But the same android phone works in public cafes, hotels, etc without any issues.

Just an FYI, the Checkpoint gateways are running R81.10 with the latest JHF.

Re: Android users not getting redirected to ISE captive portal

tmnetsec — Wed, 10 May 2023 16:15:56 GMT

Do the WLCs forward the broadcast via the capwap tunnel towards the APs/wireless clients? Packet captures on the anchor and foreign WLC show that the broadcast is received from the Checkpoint but I cannot tell whether the broadcast is being forwarded towards the AP and wireless clients.

Is there any way I can do a capture on the AP to see the arp broadcast? Cant find any software which does packet captures on android.

Re: Android users not getting redirected to ISE captive portal

SPCNET soluciones de negocio electronico — Tue, 04 Jul 2023 17:03:04 GMT

We have similar problem (android, widows,..), client does not receive DNS replays from DNS server, so no any web authentication page is open. As initial workarround we enabled "passive client" for the involved Policy. Cisco is working on a solution.

Re: Android users not getting redirected to ISE captive portal

klausi — Tue, 07 Nov 2023 07:05:42 GMT

Did you find any solution other then typing the IP address ? We have the exact same situation with Checkpoint Gateway and no redirect to ISE Guestportal only for Android devices.

BR and Thanks!