11-01-2016 04:52 AM
Apple devices connecting to a AP 700/WLC 2504. ISE 2.1
Currently captive bypass is disabled.
Client connects to the sponsor wifi (or hotspot) and the pop up happens immediately however the page render takes 20-30 seconds.
However, if I open a browser manually and try to type 8.8.8.8, the redirect and render happen almost immediately.
My question is
What is the process behind CNA? DNS or IP?
My WLC redirect ACL is to permit IP to ISE, permit DNS, then deny all. Is that correct
COuld this be a DNS issue?
Certificate issue?
Solved! Go to Solution.
11-04-2016 07:01 AM
Have you checked the network between the ISE and the end endpoint? I have seen cases where the endpoint with the captive detection would force retransmission which causes massive delay. If the WLC is a virtual WLC I would check to make sure the underlying network is optimized and the vWLC has enough resources. To see if vWLC is the issue, I would try it instead with physical WLC or convert the WLAN to FlexConnect mode to eliminate the WLC from the path between endpoint and ISE.
11-01-2016 07:53 AM
Do you have a valid certificate on your ISE server? I have noticed misbehaviors if using self-signed cert, mine won’t even auto-pop up if not a valid cert (well known). I have heard about it taking a long time to render but don’t remember what the problem was
Let me dig more to see if I find anything
11-01-2016 07:58 AM
Hi Jason,
Thanks for the note.
It seems to be happening with Android and IOS.
On the video recorded below, the portal detect pops up but you can see how long the delay is.
https://drive.google.com/file/d/0B88pfO5Kh6SYeDNFY2pQaDZ4c0k/view?usp=sharing
We originally tried with self signed, now we are using one from COMODO. Wondering if this is indeed the issue. But if it was, why would some systems work and not others?
11-01-2016 12:25 PM
Can you do a http browser trace to see what the slowdown is? Perhaps it is DNS issue not resolving fast enough?
11-04-2016 07:01 AM
Have you checked the network between the ISE and the end endpoint? I have seen cases where the endpoint with the captive detection would force retransmission which causes massive delay. If the WLC is a virtual WLC I would check to make sure the underlying network is optimized and the vWLC has enough resources. To see if vWLC is the issue, I would try it instead with physical WLC or convert the WLAN to FlexConnect mode to eliminate the WLC from the path between endpoint and ISE.
11-04-2016 06:01 PM
Thanks Jason and Hosuk.
We've done a few things.
1) The controller was upgraded from 8.0.100.0 (No Idea why it was running this) to 8.0.140.0
2) A faulty switch port was found and circumvented
3) Clients had the newly created cert installed.
We are in monitor mode right now but it seems to solved.
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide