
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2024 06:51 PM
I'm testing BYOD.
WINDOWS and ANDROID can be redirected to the BYOD portal.
However, IOS is not redirected to the portal.
Are there any URLs I should add to the URL filter?
I've followed a combination of guides, but I'm not sure if what I've set up is correct.
Solved! Go to Solution.
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2024 07:56 PM
@JustTakeTheFirstStep , the URLs defined in URL filter defines what traffic will be exempted from redirection. If you want the redirect to happen when the browser is directed to 'gstatic.com' then you would not want that defined in the URL filter.
The expected behaviour (and what I see in my lab with my iPad [OS 17.2] and ISE 3.2 is the following:
- With captive portal bypass disabled, the redirect happens and the ISE portal returns the error 'This browser is not currently supported'
- With capture portal bypass enabled, after the initial SSID connection, the user must manually open a browser and input a URL that initiates the redirect (I use 'http://neverssl.com' as HTTPS redirects can be problematic). At that point the redirect happens and the BYOD enrolment flow can be followed.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2024 07:23 PM
With captive bypass enabled, you would have to manually open a browser on the IOS device and browse to an HTTP page (like http://neverssl.com).
When you do so, it should redirect you to the ISE BYOD portal.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2024 07:37 PM
Oh the wording in the IOX-XE GUI is probably not helpful. Does "Captive Bypass Portal" ticked mean that the CNA (Captive Networking Assistant from iOS) is being bypassed? In other words, "Captive Portal bypass" ? If so, then untick that. You don't want to bypass the iOS CNA. The CNA is like a "mini browser" that the iOS uses for open ssid logins.
If you bypass the CNA, then the user is not redirected automatically. They will have to trigger a manual re-direction by opening a browser to http://1.1.1.1/ or whatever.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2024 07:48 PM
if Bypass the CNA, you will need to trigger a manual redirect browsing a URL (e,g www.cocheno.com)
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2024 08:46 PM
The Apple CNA causes many issues with portal flows like BYOD, so it's best practice to have the Captive Portal Bypass enabled and train your users to manually open a browser for the redirect.
With IOS, if you disable the bypass option on the SSID, you will likely get a message from the BYOD portal (served up from the CNA) stating that the browser is not supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2024 06:46 PM - edited 02-12-2024 07:44 PM
@Arne Bier @Greg Gibbs @Ruben Cocheno
Adding gstatic.com to the URL Filter and attempting to access the internet from a Chrome browser redirects to the BYOD Portal.
The redirect to BYOD Portal succeeds regardless of whether Captive Portal Bypass is enabled/disabled on the controller.
When press Start in the BYOD portal on a Chrome browser, show the message "This browser is not currently supported"
However, it does not redirect to the BYOD Portal in Safari browser.
What do I need to do?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2024 07:56 PM
@JustTakeTheFirstStep , the URLs defined in URL filter defines what traffic will be exempted from redirection. If you want the redirect to happen when the browser is directed to 'gstatic.com' then you would not want that defined in the URL filter.
The expected behaviour (and what I see in my lab with my iPad [OS 17.2] and ISE 3.2 is the following:
- With captive portal bypass disabled, the redirect happens and the ISE portal returns the error 'This browser is not currently supported'
- With capture portal bypass enabled, after the initial SSID connection, the user must manually open a browser and input a URL that initiates the redirect (I use 'http://neverssl.com' as HTTPS redirects can be problematic). At that point the redirect happens and the BYOD enrolment flow can be followed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2024 09:23 PM - edited 02-12-2024 09:27 PM
Removed gstatic.com from the URL filter.
Wich Captive portal bypass disabled,
not automatically ridirected. manually opened the browser and entered the URL to start the redirect. show the message "This browser is not currently supported"
Wich Captive portal bypass enabled,
manually opened the browser and entered the URL to start the redirect. show the message "This browser is not currently supported"

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2024 01:29 PM - edited 02-13-2024 01:29 PM
I can't replicate this issue in my lab (which is using an AireOS WLC). You might need to open a TAC case to investigate in more detail.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2024 09:13 PM
Oh yes of course. This is BYOD and not Guest Portals. Not a pretty workflow for iOS then.
