topic Re: Captured Guest Portal AUP with Zscaler Branch Connector in Wireless

Captured Guest Portal AUP with Zscaler Branch Connector

dstrobel — Tue, 27 Jan 2026 19:37:39 GMT

Hello Experts,

I apologize ahead of time for the long post. I am working on a proof of concept for replacing our current ISE guest portal setup. I currently have a 2 server cluster that's strictly being used for sponsored guest access and we have new management who want to change it to a click through AUP with no registration. We also have about 35 9800 controllers and 2 9800CL VMs that will be migrated to AWS in the near future. We are also converting sites from Silverpeak sdwan to Zscaler branch connector. I would prefer to get rid of ISE because it's way overkill for what we're using it for. We don't need anything other than an AUP for guest clients.

I am trying to come up with the most simple and secure way to splash an AUP for guests. My first try was setting up a 9800CL as an anchor to centralize the certificate management and using the built in guest portal. The problem I'm running into with this is getting Apple devices to pop the portal page. Android and Windows work without a problem, but every Apple device I try has varying amounts of difficulty getting to the splash page (even manually). I've tried a pre-authentication acl with zero luck so far.

Is there a better way that I'm missing here? I'm open to just about anything, and I'm trying to keep this as simple as possible. All it has to do is force the guest to click through an AUP. I've looked at doing it on the Zscaler and that's a problem because the clients need the Zscaler certificate to get the portal working without a security warning. I've also looked into Cloud-FI because they advertise direct integration with ZIA at the cloud level.

Am I crazy for thinking this should be a lot easier than it is?

Re: Captured Guest Portal AUP with Zscaler Branch Connector

Cristian Matei — Tue, 27 Jan 2026 20:08:10 GMT

Hi,

@dstrobel This has already been addressed in the past, no sense for me to copy / paste her, find the exact solution in this post:

https://community.cisco.com/t5/wireless/interesting-issue-with-apple-devices-and-portal/td-p/5270582

Ensure that the virtual IP is NOT 1.1.1.1, is not routable, and it's per RFC5737. If you still don't manage to make it work, use this additional document to help you investigate, otherwise come back with findings:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221912-troubleshoot-common-issues-with-lwa-on-9.html#toc-hId-79775511

Thanks,

Cristian.

Re: Captured Guest Portal AUP with Zscaler Branch Connector

dstrobel — Wed, 28 Jan 2026 21:35:04 GMT

HI Cristian, thank you for replying.

The article in that link is very confusing. I've looked at that before and it doesn't make any more sense now than it did then. Perhaps you can help me understand.

The ACL in that article seems like complete rubbish.

Step 4. (Optional) Upon parameter map definition, a couple of access control lists (ACLs) are automatically created. These ACLs are used to define which traffic triggers a redirection to web server and which traffic is allowed to pass through. If specific requirements, such as multiple web server IP addresses or URL filters, exist, then navigate to Configuration > Security > ACL select + Add and define necessary rules; permit statements are redirected while deny statements define traffic passes through.

Automatically created ACLs rules are:

alz-9800#show ip access-list
Extended IP access list WA-sec-172.16.80.8
10 permit tcp any host 172.16.80.8 eq www
20 permit tcp any host 172.16.80.8 eq 443
30 permit tcp host 172.16.80.8 eq www any
40 permit tcp host 172.16.80.8 eq 443 any
50 permit tcp any any eq domain
60 permit udp any any eq domain
70 permit udp any any eq bootpc
80 permit udp any any eq bootps
90 deny ip any any (1288 matches)
Extended IP access list WA-v4-int-172.16.80.8
10 deny tcp any host 172.16.80.8 eq www
20 deny tcp any host 172.16.80.8 eq 443
30 permit tcp any any eq www
40 permit tcp any host 192.0.2.1 eq 443

First of all, if you go to Configuration > Security > ACL +Add that will add a completely separate unrelated new ACL. It seems like you can't manually edit the rules on these automatically generated ACLs, except perhaps from the CLI?

Second thing wrong is the description at the top explicitly says "permit statements are redirected while deny statements define traffic passes through" meaning to me what Cisco calls a "punt" ACL. Any traffic to the controller should be a permit and any traffic to outside the controller should be a deny. This ACL example is showing permit statements for DHCP and DNS. Obviously you can run DHCP on the controller but I don't see any way to use it as a DNS forwarder (which would be a really weird thing to do anyway). There is no clear explanation of what 172.16.80.8 is so I take it to be an external web auth provider and that should be deny statements to punt to an outside server.

As an example this is what I use for ISE redirection right now taken from this guide: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252

ip access-list extended REDIRECT
 deny ip any host <ISE-IP>
 deny ip host <ISE-IP> any
 deny udp any any eq domain
 deny udp any eq domain any
 permit tcp any any eq www

There's obviously something I'm misunderstanding here.

Thanks
Dan