cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2839
Views
10
Helpful
12
Replies

iOS 8.x Apple users and CISCO ISE native supplicant provisioning not working

m.bisoen
Level 1
Level 1
  •  
    Hi there guys ,

 

I was wondering if anybody else have the following problem:

Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).

After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.

ISE is version 1.2.1.198 patch 2.  WLC is running 8.0.102.14.

Anybody experienced the same?

MB

12 Replies 12

Saurav Lodh
Level 7
Level 7


Allow access to apple.com during the guest flow or use the portal bypass feature
on WLC.

Hi Salod,

 

Still not working. Allowed all the apple.com addresses in the ACL.  Also the Web Auth Captive-Bypass   is Enabled.

Hi ,

 

we hit the same issue with ISE 1.2.1 P3. The apple devices  browser got freezed after redirection. We tested today iPhone/iPad running 8.1 iOS.

 

Any update from the Cisco TAC Case ?

 

Regards, Holger

Hi,

 

today we deployed WLC 7.6.130 and ISE 1.2.1 P3 .

NSP for iOS 8.1 devices without any issues.

 

Regards , Holger

Hi Holger,

 

Thanks for the update. Could not yet open a TAC case. something with contracts...

Glad to hear it is working with WLC 7.6.130.

nspasov
Cisco Employee
Cisco Employee

Hello-

You are most likely hitting this bug:

CSCup33018
Apple iOS 8 beta fails Native Supplicant Provisioning flow.AnchorThis fix addresses an issue where with single or dual SSIDs, Apple devices running iOS 8 beta software failed to complete provisioning.

 

Patch 10 resolves this, however, you might want to upgrade to patch 11 since I see another iOS 8 related bug:

CSCup88315
Apple iOS 8 beta failing External Web Authentication (WebAuth) with ISE. This fix addresses an issue where Apple devices running iOS 8 beta software failed to complete external web authentication.

 

Here is the link to the release notes:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/release_notes/ise12_rn.html#pgfId-529760

 

Thank you for rating helpful posts!

Hi Neno,

 

I am aware of this bug. As we are running ISE version 1.2.1.198 patch 2 (the latest). This bug should'nt be there anymore. Or am I too optimistic about this?

Ops sorry I read "1.2 - Patch 2" :) 

I have no other suggestions outside of opening a TAC case :)

john.sumners
Level 1
Level 1

I am also running ISE 1.2.1.198 patch 2 with 8.0.100.  I am testing with an iPad running IOS 8.1.  The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe.  It is getting profiled as a workstation even though all apple device profiles are enabled.  I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment.  I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile.  I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal     ISE is not able to apply an access policy to your log-in session at this time.  Please close this browser, wait approximately one minute, and try to connect again".  It gives this message over and over.  If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.

Svartalf1989
Level 1
Level 1

Hi! 

I solved this problem. The reason was in the DNS. Are u use domen local (send pls FQDN of your ISE)?  After device receive the redirection from the wlc, try to use IP in URL. If it help, u will need configure your DNS server. Later, I can write the details.

Hi Svartalf1989,

 

Forgot to do an update. Last week I "bypassed" the problem by simply inserting a DNS domain name (the one ISE uses off course) in the DHCP scope definition on the WLC as we are using the WLC as the DHCP server. Normally this was left "blank".

If you have your DHCP on a external server then you probably didn't had this issue.

My best guess is that from iOS8.x and up the Apple device only looks at the "host" part in the URL and expects a DNS suffix. If this is left "blank" then it fails to resolve the ISE server IP address.

Regards,

Manodj

Just add domain name to your dhcp configs

and bypass command to WLC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: