cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

552
Views
10
Helpful
6
Replies

Issues with ISE hotspot and self registration portals with apple devices

Hello,

I have configured ISE 2.4 to create wifi hotspots and self registration access. We user a WLC 2504 controller software version 8.5.

Everything works fine with windows devices and android devices which get correctly redirected to ISE portal pages. However, with the iphone we get errors. The phone connects to the ssid but then gives an error as below:

 

Error Opening Page - "Hotspot login cannot open the page because the server cannot be found". I believe this is trying to go to captive.apple.com. My redirect ACL on the WLC allows access to DNS and also to the ISE server. Do I need to add access to captive.apple.com in the ACL?

 

Another point is that the ise server has a certificate signed by a CA that is not a publicly trusted CA. I have added the root CA to my trusted certs on the iphone but still the same issue. I have also enabled web-auth captive-bypass and rebooted the WLC but still the same issues.

 

Any help would be great.

 

Thanks in advance

Nick

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Issues with ISE hotspot and self registration portals with apple devices

Yes likely the Apple Captive network assistant is not liking the self signed cert.

I recommend reviewing the guest guide under http:://cs.co/ise-guest<>

And also enabling captive portal bypass on the controller to suppress the CNA so the regular browser is used
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html


Look for Captive Portal Bypass

Information About Captive Bypassing

Long term you will want to allow users to have a seamless flow and disabling it
6 REPLIES 6
Cisco Employee

Re: Issues with ISE hotspot and self registration portals with apple devices

Yes likely the Apple Captive network assistant is not liking the self signed cert.

I recommend reviewing the guest guide under http:://cs.co/ise-guest<>

And also enabling captive portal bypass on the controller to suppress the CNA so the regular browser is used
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html


Look for Captive Portal Bypass

Information About Captive Bypassing

Long term you will want to allow users to have a seamless flow and disabling it

Re: Issues with ISE hotspot and self registration portals with apple devices

Many thanks Jason,

I have enabled captive bypass on the WLC. I am able to get a step further, so obviously I do not get automatically redirected to ise, however when I open a browser I do get redirected to ISE but that is as far as I can get as it tells me there is an issue with he certificate. I do not get the option to trust or add the certificate for ISE so I get stuck here.

 

The domain name is xxxxxxx.local. I have read somewhere that iphones do not like a .local domain.

Any other help would be great.

Thanks

Nick

 

 

Cisco Employee

Re: Issues with ISE hotspot and self registration portals with apple devices

Correct Apple doesn’t like that. Would recommend trying something else. We use a fake domain like securitydemo.net. And a well known cert, otherwise Apple devices won’t go through BYOD flow as well. This isn’t an ise issue.

Re: Issues with ISE hotspot and self registration portals with apple devices

Thats great, thanks Jason. I will give this a try and let you know how I got on.

 

Cheers

Nick

 

Beginner

Re: Issues with ISE hotspot and self registration portals with apple devices

Hi Russell, can I ask what the results of your testing were?

Highlighted
Cisco Employee

Re: Issues with ISE hotspot and self registration portals with apple devices

thanks please let me know