Solved: Re: Cisco ISE 3.1, sponsor guest flow and Apple CNA issue (cancel butt

milos_p · ‎11-09-2021

Hi guys,

I am testing sponsored guest flow with ISE 3.1 and AireOS 8.5.171.0 (on 5520).

With Android and Windows devices I don't have any issue, guest flow works perfectly.

With Apple devices (iPhone with IOS 14 and 15), CNA is stuck after successful guest authentication on the white page with "Cancel button" which never moves to "Done".

Phone has internet access, because if you press "Cancel" manually, it will connect back to the guest WiFi and have access.

ISE logs are as expected.

I have tested guest flow on WLC itself with the same SSID (using local WLC portal) and CNA works fine, so it must be something ISE related.

Anyone having the same issue or have some idea what to do with CNA stuck on "Cancel" button?

Thanks,

Milos

hslai · ‎01-30-2022

CSCvz90852 is trigger with Captive Network Assistant (CNA) and impacting ISE 3.1 only. Below is the workaround:

In the success page portal customization, add a Javascript to "Optional Content 2". Below are example JavaScripts:

To only refresh the page after 3 seconds:
<script>
setTimeout(function () {
    location.reload(true);
}, 3 * 1000);
</script>

To redirect to another page:
<script>
setTimeout(function () {
    location.replace(?http://www.cisco.com?);
}, 3 * 1000);
</script>

View solution in original post

Arne Bier · ‎12-15-2021

Hi @milos_p

One suggestion perhaps. In your final Access-Accept after user has logged into the portal, you send an ACL string to the AireOS controller. Something like ACL_INTERNET_ALLOWED. In that ACL, do you also include the inbound TCP/8443 to the ISE PSNs? If there is more than one PSN then include all the PSNs that the WLC could have sent the MAB request to. I know it seems weird that ISE portal needs to be allowed, but from memory I had to permit ISE in that ACL prior to me blocking all RFC 1918. e.g. my pseudo-config ACL below:

permit client DNS
permit client DHCP
permit client to ISE PSN Portal(s)
deny client attempts to RFC1918 ranges
permit any any

milos_p · ‎12-16-2021

Hi Arne,

Thanks for suggestion, but it is already allowed.

Greg Gibbs · ‎12-16-2021

There are multiple known issues with the Apple CNA and they are constantly adding security controls to it that break working functionality; especially with URL redirected portals.

I would suggest enabling the Captive Network Assistant Bypass feature on the SSID (this can be done per-SSID in your WLC version) and testing the same flow. You will need to manually open a browser to force the redirection when CNA Bypass is on.

If that still does not work, you may need to open a TAC case to investigate further.

milos_p · ‎12-16-2021

Hi Greg,

I tried it without CNA (using bypass) and it works, I am not stuck on the screen with "Cancel" button, but the user experience is very bad, because user has to do lot actions manually like open browser, goes to some non HTTPS page to get redirected etc.

Funny thing is that using guest portal on WLC itself, CNA works without any issue. Problem is present when ISE is in the guest flow.

Thanks a lot!

hslai · ‎12-19-2021

Likely hitting this:

CSCvz90852 Hotspot Guest Portals in CNA with blank Success and NOT switched to Done on iDevices

milos_p · ‎12-23-2021

Hi,

Thanks, but I cannot see bug details, nor find anything anywhere :-).

Any chance you can provide more information?

Also, it the title you wrote "Hotspot Guest Portals". Mine is sponsored guest portal, so are they affected as well, with this bug?

Thanks a lot!

hslai · ‎01-30-2022

CSCvz90852 is trigger with Captive Network Assistant (CNA) and impacting ISE 3.1 only. Below is the workaround:

In the success page portal customization, add a Javascript to "Optional Content 2". Below are example JavaScripts:

To only refresh the page after 3 seconds:
<script>
setTimeout(function () {
    location.reload(true);
}, 3 * 1000);
</script>

To redirect to another page:
<script>
setTimeout(function () {
    location.replace(?http://www.cisco.com?);
}, 3 * 1000);
</script>

milos_p · ‎02-04-2022

Finally !!!

Adding refresh script worked flawlessly, and Cancel turned into Done button.

Thanks a lot!

Hope this will be solved in the next patch for 3.1

Regards,

Milos

MichaelUpNorth · ‎10-26-2022

I am having this issue as well setting up our Guest portal, Im not sure if I am pasting the script correctly but still cant seem to get past it.

I clicked on Toggle HTML Source under Optional Content 2 in Under Authentication Success, Paste the following, Try it again with an Apple Iphone, but still doesnt seem to get paste the Cancel window. It never gets to the "Done" window.

<script>
setTimeout(function () {
    location.reload(true);
}, 3 * 1000);
</script>

chfauc · ‎06-22-2023

Hi do you know if CSCvz90852 has a bug fix for 3.2?

we tried the reload script, and see it flickering on the ios every second, but it doesnt seem to be working.

tx

Aomar bahloul · ‎01-27-2022

Hi milos_p,

I'm experiencing a very similar issue with both new iOS and Android phones, old phones are OK. Did you get anywhere with this?

Thanks

Aomar.

milos_p · ‎01-28-2022

Hi Aomar,

No, I am still stuck where I was, meaning Android works fine but IOS is stuck on "Cancel" button, as described.

In the meantime I have installed patch1 for 3.1, but that didn't change anything, behavior is still the same.

I will do soon upgrade of WLC to 8.10 so I will let you know if anything changes with that.

Regards,

Milos

FaridBouikila9400 · ‎03-17-2022

Hi,

Same problem for me, on IOS (Iphones and macbook) the button stuck on "Cancel".

I tried to export the default Guest template form ISE portal builder, import it on ISE and it's work fine !

Farid

milos_p · ‎03-18-2022

Hi Farid,

I managed to make it work with proposed solution from user "hslai" and it worked.

But why not to have your solution as well :-), thanks for telling me.

Cisco ISE 3.1, sponsor guest flow and Apple CNA issue (cancel button)