Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2272
Views
5
Helpful
3
Replies

Guest portal with AD authentication not working with Apple iOS 13.x/14.x

Go to solution
Simon Z
Level 1
Level 1

‎01-14-2021 11:52 AM

We treat our BYOD users the same as Guest (not a BYOD flow). Instead of authenticating againt Guest Users, it uses AD crendentials then allows Internet access only. It's been working until recently. On iPad/iPhone with iOS 13.x/14.x, the "Cancel" button on the upper right corner of the Apple CNA (Mini browser) won't go away after authtication succeeded. It should change to "Done". The Live Logs show everything is working: authentication succeeded and the correct authorization rule was hit. There are no issues on Andriod/Windows platforms.

 

Another portal (real Guest portal) works on all platforms.

 

Packets capture on the iPad showes the iPad sends a GET request to http://captive.apple.com/hotspot-detect.html.

 

When it's successful, as the case of our Guest portal, the following response is received:

<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>

 

When it failes, as the case of our BYOD portal, the iPad receive the following response:

[truncated]<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content

 

WLC 5520 software version: 8.5. "Captive Network Assistant Bypass" is disabled per SSID.

ISE (on VMs) version: 2.7 Patch 2

 

Cisco TAC tells me this is an Apple issue. Does anyone have the similar setup and see the issues?

 

Many thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Simon Z

‎01-17-2021 08:13 PM

Just to make sure we understood each other. When you disable CNA, this means Apple devices won't get the mini browser but have to go still on safari browser for authentication, right?
So without mini browser everything works?

Can you share some screenshots of your config please?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-14-2021 07:44 PM

Hi

Have you tried without using CNA (mini browser)?
You said it was working recently, so what changed? Is it a patch applied on ISE or after a specific patch on ios devices?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Simon Z
Level 1
Level 1

‎01-15-2021 08:18 AM

Hi Francesco, yes. It worked without Apple CNA. But people got used to CNA already. Nothing really changed on the infrastructure side, but for sure iOS got upgraded on iPads/iPhones.

 

More thoughts... we didn't want to mix Guest users and AD users, so we created two SSIDs: SSID-Guest and SSID-AD. We didn't use the default Endpoint Groups for Guest (GuestEndpoints). We created two Endpoint groups: Group-Guest and Group-AD, and they are referenced by two Guest Types: Guest-Type-Guest and Guest-Type-AD. We then have two Sponsored Guest Portals: Portal-Guest and Portal-AD. On the "Employees using this portal as guests inherit login options from" for two portals we set to Guest-Type-Guest and Guest-Type-AD accordingly. Authorization policis for both SSIDs are seperate but almost identical: both are redirected first then have Internet access only. This setup has been working for years on all platforms.

 

More testing:

Connect to SSID-Guest using guest account, Apple CNA works; got a Done button.

Connect to SSID-Guest using an AD account, got the Cancel button on CNA; the CNA times out in a couple of minutes; SSID-Guest eventually got connected; can access Internet.

Connect to SSID-AD using a guest account, got the Cancel button on CNA; the CNA times out in a couple of minutes; no Internet; the MAC falls into Group-Guest instead of Group-AD (don't understand why).

Connect to SSID-AD using an AD account, got the Cancel button on CNA; the CNA times out in a couple of minutes; no Internet; the MAC falls into Group-AD.

 

Again, when bypassing CNA for SSID-AD, an AD account works but I have to go to a HTTP page first.

 

Understand using AD accounts for a Guest portal is not a common setup, but it's simple and straightforward.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Simon Z

‎01-17-2021 08:13 PM

Just to make sure we understood each other. When you disable CNA, this means Apple devices won't get the mini browser but have to go still on safari browser for authentication, right?
So without mini browser everything works?

Can you share some screenshots of your config please?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents