Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7605
Views
5
Helpful
15
Replies

Apple CNA - ISE 2.4 - WLC 8.3

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎10-09-2018 06:23 AM

I'm having some trouble with CNA and our guest portal, and I suspect the WLC image, but I can't seem to find a compatibility chart between Apple CNA, ISE and WLC? Any help?

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎10-09-2018 07:17 AM

OK the issue you’re seeing is a wireless issue and not something on ise

I would recommend you disable captive portal bypass on the wireless controller


https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎10-09-2018 10:18 AM

Does the ise portal show when you open your native browser to a site. Try something without https

Confused on what you’re showing here. Leave the wlc ports and portal alone as these aren’t what you’re working with

Please make sure captive portal bypass is not enabled per the guide I shared

Check ise guest deployment guide
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-09-2018 06:34 AM

There is no support chart for that. It’s supported. What is your problem?
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Jason Kunst

‎10-09-2018 07:10 AM

When iOS devices accesses our selfregistration portal, the CNA doesn't pop-up. Accessing google from the browser doesn't trigger CNA.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎10-09-2018 07:17 AM

OK the issue you’re seeing is a wireless issue and not something on ise

I would recommend you disable captive portal bypass on the wireless controller


https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎10-09-2018 09:12 AM - edited ‎10-09-2018 09:24 AM

the captive portal is disabled. The GUI is disabled, and the CLI is:
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable

I noticed the default ports in the config guide, and our portal is running on 8447. Could this have an impact?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎10-09-2018 10:18 AM

Does the ise portal show when you open your native browser to a site. Try something without https

Confused on what you’re showing here. Leave the wlc ports and portal alone as these aren’t what you’re working with

Please make sure captive portal bypass is not enabled per the guide I shared

Check ise guest deployment guide
https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Jason Kunst

‎10-09-2018 10:40 AM

Sorry, misread the guide!

 

The section before captive portal bypass is "web auth proxy"!

Next time you're having cake at the office, it's on me!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎10-09-2018 10:42 AM

OK is everything all set now
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Jason Kunst

‎10-09-2018 10:53 AM

I'll let you know tomorrow when I can test the portal against a iOS device.
0 Helpful

Go to solution
TonyStark
Level 1
Level 1
In response to Jason Kunst

‎11-06-2018 12:55 PM - edited ‎11-06-2018 01:06 PM

 
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to TonyStark

‎11-06-2018 01:00 PM

Not sure I follow, ISE Guest with WLC is working and is supported. Use it all the time. Perhaps you are having an issue to debug and work with TAC?
0 Helpful

Go to solution
TonyStark
Level 1
Level 1
In response to Jason Kunst

‎11-08-2018 09:57 AM

I had deleted my post because it was a bit strongly worded and I thought that I may have missed something.  I do have a TAC case open.  They don't know how to make IPhone CNA work.  The initial response was captive portal bypass which is a joke.  This does not work and has not worked for years.  There are numerous threads on numerous forums stating the same thing.  Apple has no documentation on how their CNA works nor will they release any. Cisco has no documentation that mentions this issue, a workaround, or what would be required to make it work correctly.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to TonyStark

‎11-08-2018 10:36 AM

There is nothing to make it work. Disable captive portal bypass on the controller. Having it enabled will suppress the Apple CNA.

Again this is strictly for Guest basic flows. If you have javascript loading and doing redirections and fancy things then I wouldn’t recommend allowing that and would suppress the CNA using captive portal bypass.

The only reason I could think for TAC support is if something isn’t working but I have it working with WLC 8.3 and 8.5 code fine. If you’re not getting support from TAC ask for an escalation.
0 Helpful

Go to solution
TonyStark
Level 1
Level 1
In response to Jason Kunst

‎11-09-2018 08:07 AM

I'm just not seeing it work. I am testing 8.5 MR3 and ISE 2.2 patch 6 with IOS clients, haven't seen CNA launch yet.  They fool around guessing different websites until the portal pops up.  We're going to be upgrading ISE to 2.4 soon but this appears to be a WLC issue.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to TonyStark

‎11-09-2018 08:26 AM

The mini browser sends out probes to different sites. If it can’t get to those sites then it won’t pop up. So if your URL redirect redirects everything to ISE and your ACL only allows access to ISE then it should pop. I would recommend tracing with the TAC as well.

When you enable captive portal bypass it spoofs responses to those sites causing it not to pop up. There are scenarios where you wouldn’t want it to (example BYOD, social media login, SAML SSO advanced customization)

Some basic info
https://socifi-doc.atlassian.net/wiki/spaces/SC/pages/27689029/The+Splash+Page+is+not+triggered+when+iOS+devices+connect+to+WiFi

Some trouble posts
https://forums.developer.apple.com/thread/62947

Some basic info
https://www.google.com/search?ei=2LLlW4FXoK7Q8Q_a9aiIDQ&q=what+sites+does+apple+cna+check&oq=what+sites+does+apple+cna+check&gs_l=psy-ab.3..33i160l2.422379.426740..426933...0.0..0.227.5506.0j28j3......0....1..gws-wiz.......0j0i71j35i39j0i67j0i131i67j...
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents