cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

986
Views
3
Helpful
5
Replies
tisnow
Cisco Employee

Apple Mini brower pop up but content not displayed

Apple devices connecting to a AP 700/WLC 2504.  ISE 2.1

Currently captive bypass is disabled.

Client connects to the sponsor wifi (or hotspot) and the pop up happens immediately however the page render takes 20-30 seconds.

However, if I open a browser manually and try to type 8.8.8.8, the redirect and render happen almost immediately.

My question is

What is the process behind CNA?  DNS or IP?

My WLC redirect ACL is to permit IP to ISE,  permit DNS,  then deny all.   Is that correct

COuld this be a DNS issue?

Certificate issue?

1 ACCEPTED SOLUTION

Accepted Solutions
howon
Cisco Employee

Have you checked the network between the ISE and the end endpoint? I have seen cases where the endpoint with the captive detection would force retransmission which causes massive delay. If the WLC is a virtual WLC I would check to make sure the underlying network is optimized and the vWLC has enough resources. To see if vWLC is the issue, I would try it instead with physical WLC or convert the WLAN to FlexConnect mode to eliminate the WLC from the path between endpoint and ISE.

View solution in original post

5 REPLIES 5
Jason Kunst
Cisco Employee

Do you have a valid certificate on your ISE server? I have noticed misbehaviors if using self-signed cert, mine won’t even auto-pop up if not a valid cert (well known). I have heard about it taking a long time to render but don’t remember what the problem was

Let me dig more to see if I find anything

Hi Jason,

Thanks for the note.


It seems to be happening with Android and IOS.

On the video recorded below, the portal detect pops up but you can see how long the delay is.

https://drive.google.com/file/d/0B88pfO5Kh6SYeDNFY2pQaDZ4c0k/view?usp=sharing

We originally tried with self signed, now we are using one from COMODO.  Wondering if this is indeed the issue.  But if it was,  why would some systems work and not others?

Can you do a http browser trace to see what the slowdown is? Perhaps it is DNS issue not resolving fast enough?

howon
Cisco Employee

Have you checked the network between the ISE and the end endpoint? I have seen cases where the endpoint with the captive detection would force retransmission which causes massive delay. If the WLC is a virtual WLC I would check to make sure the underlying network is optimized and the vWLC has enough resources. To see if vWLC is the issue, I would try it instead with physical WLC or convert the WLAN to FlexConnect mode to eliminate the WLC from the path between endpoint and ISE.

tisnow
Cisco Employee

Thanks Jason and Hosuk.

We've done a few things.

1) The controller was upgraded from 8.0.100.0 (No Idea why it was running this) to 8.0.140.0

2)  A faulty switch port was found and circumvented

3) Clients had the newly created cert installed.

We are in monitor mode right now but it seems to solved.


thank you

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube