Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5775
Views
10
Helpful
10
Replies

Issues with ISE hotspot and self registration portals with apple devices

Go to solution
n-russell-biggie
Level 1
Level 1

‎01-09-2019 04:23 AM

Hello,

I have configured ISE 2.4 to create wifi hotspots and self registration access. We user a WLC 2504 controller software version 8.5.

Everything works fine with windows devices and android devices which get correctly redirected to ISE portal pages. However, with the iphone we get errors. The phone connects to the ssid but then gives an error as below:

 

Error Opening Page - "Hotspot login cannot open the page because the server cannot be found". I believe this is trying to go to captive.apple.com. My redirect ACL on the WLC allows access to DNS and also to the ISE server. Do I need to add access to captive.apple.com in the ACL?

 

Another point is that the ise server has a certificate signed by a CA that is not a publicly trusted CA. I have added the root CA to my trusted certs on the iphone but still the same issue. I have also enabled web-auth captive-bypass and rebooted the WLC but still the same issues.

 

Any help would be great.

 

Thanks in advance

Nick

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-09-2019 05:47 AM

Yes likely the Apple Captive network assistant is not liking the self signed cert.

I recommend reviewing the guest guide under http:://cs.co/ise-guest<>

And also enabling captive portal bypass on the controller to suppress the CNA so the regular browser is used
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html


Look for Captive Portal Bypass

Information About Captive Bypassing

Long term you will want to allow users to have a seamless flow and disabling it

View solution in original post

10 Replies 10

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-09-2019 05:47 AM

Yes likely the Apple Captive network assistant is not liking the self signed cert.

I recommend reviewing the guest guide under http:://cs.co/ise-guest<>

And also enabling captive portal bypass on the controller to suppress the CNA so the regular browser is used
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html


Look for Captive Portal Bypass

Information About Captive Bypassing

Long term you will want to allow users to have a seamless flow and disabling it

Go to solution
n-russell-biggie
Level 1
Level 1
In response to Jason Kunst

‎01-09-2019 06:18 AM

Many thanks Jason,

I have enabled captive bypass on the WLC. I am able to get a step further, so obviously I do not get automatically redirected to ise, however when I open a browser I do get redirected to ISE but that is as far as I can get as it tells me there is an issue with he certificate. I do not get the option to trust or add the certificate for ISE so I get stuck here.

 

The domain name is xxxxxxx.local. I have read somewhere that iphones do not like a .local domain.

Any other help would be great.

Thanks

Nick

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to n-russell-biggie

‎01-09-2019 06:30 AM

Correct Apple doesn’t like that. Would recommend trying something else. We use a fake domain like securitydemo.net. And a well known cert, otherwise Apple devices won’t go through BYOD flow as well. This isn’t an ise issue.

Go to solution
n-russell-biggie
Level 1
Level 1
In response to Jason Kunst

‎01-09-2019 06:56 AM

Thats great, thanks Jason. I will give this a try and let you know how I got on.

 

Cheers

Nick

 

0 Helpful

Go to solution
briankk1582
Level 1
Level 1
In response to n-russell-biggie

‎08-01-2019 02:41 PM

Hi Russell, can I ask what the results of your testing were?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to n-russell-biggie

‎08-20-2019 10:24 AM

thanks please let me know
0 Helpful

Go to solution
ganiabdullahgenderang
Level 1
Level 1
In response to Jason Kunst

‎12-02-2019 01:30 AM

Hi Jason,

 

i facing same issue, i try to change certificate selfsigned using xxx.com

the result, still same in apple device. " hotspot login cannot open the page because the server cannot be found "

i try to using browser its working normally.

 

is there any advice ?

 

thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ganiabdullahgenderang

‎12-02-2019 03:43 AM

Are you saying you’re using self signed certificate?

Apple captive network browser assistant doesn’t like that likely
0 Helpful

Go to solution
ganiabdullahgenderang
Level 1
Level 1
In response to Jason Kunst

‎12-02-2019 06:15 AM

hi Jason,

yes, i am using selfsigned certificate.
earlier everything running well.
and now apple device cannot using CNA.

so, we need using public certificate ?

thanks
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ganiabdullahgenderang

‎12-02-2019 09:41 AM

that's correct, self-signed certificate is not supported in the guest flow for production as many browsers have issues with them

check out guest guide
https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
and certificate guide
https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents