cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1398
Views
5
Helpful
15
Replies
Highlighted
Beginner

Apple CNA - ISE 2.4 - WLC 8.3

I'm having some trouble with CNA and our guest portal, and I suspect the WLC image, but I can't seem to find a compatibility chart between Apple CNA, ISE and WLC? Any help?

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

OK the issue you’re seeing is a wireless issue and not something on ise

I would recommend you disable captive portal bypass on the wireless controller


https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html
Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

Does the ise portal show when you open your native browser to a site. Try something without https

Confused on what you’re showing here. Leave the wlc ports and portal alone as these aren’t what you’re working with

Please make sure captive portal bypass is not enabled per the guide I shared

Check ise guest deployment guide
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475
15 REPLIES 15
Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

There is no support chart for that. It’s supported. What is your problem?
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

When iOS devices accesses our selfregistration portal, the CNA doesn't pop-up. Accessing google from the browser doesn't trigger CNA.
Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

OK the issue you’re seeing is a wireless issue and not something on ise

I would recommend you disable captive portal bypass on the wireless controller


https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

the captive portal is disabled. The GUI is disabled, and the CLI is:
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable

I noticed the default ports in the config guide, and our portal is running on 8447. Could this have an impact?

Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

Does the ise portal show when you open your native browser to a site. Try something without https

Confused on what you’re showing here. Leave the wlc ports and portal alone as these aren’t what you’re working with

Please make sure captive portal bypass is not enabled per the guide I shared

Check ise guest deployment guide
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

Sorry, misread the guide!

 

The section before captive portal bypass is "web auth proxy"!

Next time you're having cake at the office, it's on me!

Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

OK is everything all set now
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

I'll let you know tomorrow when I can test the portal against a iOS device.
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

 
Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

Not sure I follow, ISE Guest with WLC is working and is supported. Use it all the time. Perhaps you are having an issue to debug and work with TAC?
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

I had deleted my post because it was a bit strongly worded and I thought that I may have missed something.  I do have a TAC case open.  They don't know how to make IPhone CNA work.  The initial response was captive portal bypass which is a joke.  This does not work and has not worked for years.  There are numerous threads on numerous forums stating the same thing.  Apple has no documentation on how their CNA works nor will they release any. Cisco has no documentation that mentions this issue, a workaround, or what would be required to make it work correctly.

Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

There is nothing to make it work. Disable captive portal bypass on the controller. Having it enabled will suppress the Apple CNA.

Again this is strictly for Guest basic flows. If you have javascript loading and doing redirections and fancy things then I wouldn’t recommend allowing that and would suppress the CNA using captive portal bypass.

The only reason I could think for TAC support is if something isn’t working but I have it working with WLC 8.3 and 8.5 code fine. If you’re not getting support from TAC ask for an escalation.
Beginner

Re: Apple CNA - ISE 2.4 - WLC 8.3

I'm just not seeing it work. I am testing 8.5 MR3 and ISE 2.2 patch 6 with IOS clients, haven't seen CNA launch yet.  They fool around guessing different websites until the portal pops up.  We're going to be upgrading ISE to 2.4 soon but this appears to be a WLC issue.

Cisco Employee

Re: Apple CNA - ISE 2.4 - WLC 8.3

The mini browser sends out probes to different sites. If it can’t get to those sites then it won’t pop up. So if your URL redirect redirects everything to ISE and your ACL only allows access to ISE then it should pop. I would recommend tracing with the TAC as well.

When you enable captive portal bypass it spoofs responses to those sites causing it not to pop up. There are scenarios where you wouldn’t want it to (example BYOD, social media login, SAML SSO advanced customization)

Some basic info
https://socifi-doc.atlassian.net/wiki/spaces/SC/pages/27689029/The+Splash+Page+is+not+triggered+when+iOS+devices+connect+to+WiFi

Some trouble posts
https://forums.developer.apple.com/thread/62947

Some basic info
https://www.google.com/search?ei=2LLlW4FXoK7Q8Q_a9aiIDQ&q=what+sites+does+apple+cna+check&oq=what+sites+does+apple+cna+check&gs_l=psy-ab.3..33i160l2.422379.426740..426933...0.0..0.227.5506.0j28j3......0....1..gws-wiz.......0j0i71j35i39j0i67j0i131i67j...