01-14-2021 11:52 AM
We treat our BYOD users the same as Guest (not a BYOD flow). Instead of authenticating againt Guest Users, it uses AD crendentials then allows Internet access only. It's been working until recently. On iPad/iPhone with iOS 13.x/14.x, the "Cancel" button on the upper right corner of the Apple CNA (Mini browser) won't go away after authtication succeeded. It should change to "Done". The Live Logs show everything is working: authentication succeeded and the correct authorization rule was hit. There are no issues on Andriod/Windows platforms.
Another portal (real Guest portal) works on all platforms.
Packets capture on the iPad showes the iPad sends a GET request to http://captive.apple.com/hotspot-detect.html.
When it's successful, as the case of our Guest portal, the following response is received:
<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
When it failes, as the case of our BYOD portal, the iPad receive the following response:
[truncated]<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content
WLC 5520 software version: 8.5. "Captive Network Assistant Bypass" is disabled per SSID.
ISE (on VMs) version: 2.7 Patch 2
Cisco TAC tells me this is an Apple issue. Does anyone have the similar setup and see the issues?
Many thanks.
Solved! Go to Solution.
01-17-2021 08:13 PM
Just to make sure we understood each other. When you disable CNA, this means Apple devices won't get the mini browser but have to go still on safari browser for authentication, right?
So without mini browser everything works?
Can you share some screenshots of your config please?
01-14-2021 07:44 PM
Hi
Have you tried without using CNA (mini browser)?
You said it was working recently, so what changed? Is it a patch applied on ISE or after a specific patch on ios devices?
01-15-2021 08:18 AM
Hi Francesco, yes. It worked without Apple CNA. But people got used to CNA already. Nothing really changed on the infrastructure side, but for sure iOS got upgraded on iPads/iPhones.
More thoughts... we didn't want to mix Guest users and AD users, so we created two SSIDs: SSID-Guest and SSID-AD. We didn't use the default Endpoint Groups for Guest (GuestEndpoints). We created two Endpoint groups: Group-Guest and Group-AD, and they are referenced by two Guest Types: Guest-Type-Guest and Guest-Type-AD. We then have two Sponsored Guest Portals: Portal-Guest and Portal-AD. On the "Employees using this portal as guests inherit login options from" for two portals we set to Guest-Type-Guest and Guest-Type-AD accordingly. Authorization policis for both SSIDs are seperate but almost identical: both are redirected first then have Internet access only. This setup has been working for years on all platforms.
More testing:
Connect to SSID-Guest using guest account, Apple CNA works; got a Done button.
Connect to SSID-Guest using an AD account, got the Cancel button on CNA; the CNA times out in a couple of minutes; SSID-Guest eventually got connected; can access Internet.
Connect to SSID-AD using a guest account, got the Cancel button on CNA; the CNA times out in a couple of minutes; no Internet; the MAC falls into Group-Guest instead of Group-AD (don't understand why).
Connect to SSID-AD using an AD account, got the Cancel button on CNA; the CNA times out in a couple of minutes; no Internet; the MAC falls into Group-AD.
Again, when bypassing CNA for SSID-AD, an AD account works but I have to go to a HTTP page first.
Understand using AD accounts for a Guest portal is not a common setup, but it's simple and straightforward.
01-17-2021 08:13 PM
Just to make sure we understood each other. When you disable CNA, this means Apple devices won't get the mini browser but have to go still on safari browser for authentication, right?
So without mini browser everything works?
Can you share some screenshots of your config please?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide