Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2139
Views
1
Helpful
8
Replies

Guest access - Redirection issue on ios16

Tariq Mahmoud
Level 1
Level 1

‎04-24-2023 11:44 PM

Hello all,

We have an issue with ios16 where guest access is not working due to failures at the redirection phase. This issue happens only with iPhone while it's working totally fine with Windows or Androids. 

After some checking and troubleshooting we found that there is a behavior change starting from ios16 to use public DNS servers instead of the private ones. This is mentioned here:

https://community.arubanetworks.com/discussion/apple-ios-devices-not-open-captive-portal-login-page-automatically
https://developer.apple.com/forums/thread/715416

We already had a case with Cisco TAC but they ended up recommending us to reach for Apple support since this is an iPhone issue and ask for a fix but this seems like a dead end to me. 
I was wondering if anyone else faced this issue? and the recommended way to fix it?

Best regards,
Tariq

0 Helpful
8 Replies 8

ahollifield
VIP
VIP

‎04-25-2023 03:42 PM

Why not just allow DNS to any server?  Or am I misunderstanding something here?  

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎04-25-2023 06:42 PM

Hi, can u explain further how the DNS bug is impacting your redirection. In
theory you shouldn't set internal and external DNS in your dhcp options.
Only point to internet DNS with HA and that is set to DNS forwarder.
0 Helpful

Tariq Mahmoud
Level 1
Level 1

‎04-26-2023 07:20 AM

DNS traffic is already allowed in the redirect ACL if that's what you are asking for. However, if endpoints want to reach ISE captive portal, they should query the internal DNS so that they can reach ISE.
What we have seen with ios16 is that it ignores the local DNS and always go for the public DNS server and captive.apple.com and hence have no idea about the captive portal of our ISE setup. 

0 Helpful

ahollifield
VIP
VIP
In response to Tariq Mahmoud

‎04-27-2023 08:23 PM - edited ‎04-27-2023 08:23 PM

But why are you exposing internal name space to guest users? Also not really a best practice to expose internal DNS server (most often also a domain controller) to untrusted guest endpoints. Why not deploy a dedicated ISE guest node in a protected DMZ on public name space. Or configure a second NIC on an ISE node to service guests with a public FQDN?

Dustin Anderson
VIP Alumni
VIP Alumni

‎04-28-2023 06:41 AM

personally, I just added ISE to our external DNS but with the internal IP address so they get to the portal. Our guest is behind a firewall, but can be allowed to talk to out ISE servers on the ports for the portals.

0 Helpful

Tariq Mahmoud
Level 1
Level 1

‎08-02-2023 06:14 PM

We have restarted the wireless controller and after that the issue got fixed. We haven't seen the issue again for a while now and all works fine. 

0 Helpful

hakheman
Cisco Employee
Cisco Employee
In response to Tariq Mahmoud

‎08-04-2023 12:02 PM

What was your controller and ISE version?

0 Helpful

Tariq Mahmoud
Level 1
Level 1
In response to hakheman

‎08-06-2023 05:33 AM

WLC is 8.10 (foreign/anchor setup) and ISE is 3.1. 

Based on my observations, it could be that the configurations were not active for some reason. What I did was configuring the SSID from scratch, then reloaded the WLC and after that all worked fine on iphone.

0 Helpful
Customers Also Viewed These Support Documents