Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1759
Views
5
Helpful
12
Replies

Apple iOS CNA issues with Guest Portals on ISE

Jason Salmans
Beginner
Beginner

‎01-31-2023 09:28 AM

I'm attempting to set up a Dual-SSID flow on a test deployment of ISE.  I initially tried a Single-SSID flow but ran into a chicken or the egg issue with Android and certificates (want to do a long private cert but then Android wants a public one for the initial PEAP connection and seems to be in the process of removing the "Do Not Validate" cert options).

I believe the Dual-SSID flow is working for Android now via signing in to a guest portal that only allows AD logins and then presents the BYOD pages to get the certificate onboarding done.

However, I'm running into issues with the iPad I'm testing and the CNA/mini browser.

When using a portal I created in ISE, when I get redirected (which doesn't seem to always happen when I try in succession), I can log in with my AD credentials but the next page stays on "Cancel" and never presents the "Done" message.  I've attempted adding either of the javascript options found here but with no improvement (added to Optional Content 2 on the Apple Mini Browser page in the portal) :

https://community.cisco.com/t5/network-access-control/cisco-ise-3-1-sponsor-guest-flow-and-apple-cna-issue-cancel/m-p/4500187#M570961

I believe I have the ACLs set correctly on the 9800-CL.. the initial one is set up to trigger the redirect and then the second one should get switched to when it detects the Apple Mini Browser flow (deny ip any to 1.1.1.1 and then a permit ip any to any).

I found another solution that recommended using the ISE portal builder.  I created a test portal, uploaded it to ISE, and set up the basic options.  Testing this with my iPad gets stuck even earlier...  I enter my credentials and then click Sign On and nothing happens.  It never proceeds to the next page.  ISE radius logs seem to show an active session with my username though.

I'm using ISE 3.1 with patch 5 currently and I've tried 15.7 and updating to 16.3 on my iPad.

I'm starting to wonder if maybe the javascript doesn't work on the CNA at all now?  Or is something still possibly messed up with the ACLs I'm using?

1 person had this problem
0 Helpful
12 Replies 12