iOS redirection to CWA is very slow

SHANNON WYATT · ‎05-16-2019

I have an issue were iOS devices are taking about 45 seconds for the web page to pop up for authentication. I know it is an issue with the CNA, but I'm stumped. Has something changed? I've never had this come up before. It does work, it is just slow.

hslai · ‎05-16-2019

This might help --

Apple Captive Network Assistant Slowness Problems on iOS · Alex Meub

SHANNON WYATT · ‎05-16-2019

I saw this, but we don't have an animated graphic, just a small image.

Arne Bier · ‎05-17-2019

Have you tried doing a tcpdump on the PSN node to see at what stage the URL redirect is sent? Is the delay AFTER the URL redirect has been sent to the WLC?

I would do a client debug on the WLC to see what happens during that time.

SHANNON WYATT · ‎05-17-2019

Not yet. I can see the URL redirect is there though. Oddly one of the iOS devices we have been testing doesn't trust the cert (Geotrust cert) and we immediately get the cert error on redirect and can click past and the page is there. I'm wondering if there is CRL checking going on. I've planned on doing debugs from the controller today. This is only affecting iOS devices, which is the story of my life it seems.

hslai · ‎05-17-2019

We've seen a few issues with CAs using cross Root CA. Check whether the Root CA is Apple iOS --

Lists of available trusted root certificates in iOS - Apple Support

If yes, please remove the cross Root CA, import the self-signed one, and restart ISE services to ensure ISE will start sending the correct chain.

SHANNON WYATT · ‎05-18-2019

I set up to do a capture to see what the devices were checking, but they have 2800's, so that won't work :-(

The customer is going to try to do a packet capture for me on the network so I can see what is happening. It was very concerning (the slowness) but the customer has the same slowness on a legacy wireless network using the controller captive portal and iOS.