cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
2
Helpful
9
Replies

IOS is not redirecting to the BYOD portal.

I'm testing BYOD.

WINDOWS and ANDROID can be redirected to the BYOD portal.

However, IOS is not redirected to the portal.

Are there any URLs I should add to the URL filter?

I've followed a combination of guides, but I'm not sure if what I've set up is correct.

 

2024-02-08 11 44 22 (2).png

2024-02-08 11 44 22.png

2024-02-08 11 44 22 (3).png2024-02-08 11 44 22 (4).png2024-02-08 11 44 22 (5).png

 

1 Accepted Solution

Accepted Solutions

@JustTakeTheFirstStep , the URLs defined in URL filter defines what traffic will be exempted from redirection. If you want the redirect to happen when the browser is directed to 'gstatic.com' then you would not want that defined in the URL filter.

The expected behaviour (and what I see in my lab with my iPad [OS 17.2] and ISE 3.2 is the following:

  • With captive portal bypass disabled, the redirect happens and the ISE portal returns the error 'This browser is not currently supported'
  • With capture portal bypass enabled, after the initial SSID connection, the user must manually open a browser and input a URL that initiates the redirect (I use 'http://neverssl.com' as HTTPS redirects can be problematic). At that point the redirect happens and the BYOD enrolment flow can be followed.

View solution in original post

9 Replies 9

Greg Gibbs
Cisco Employee
Cisco Employee

With captive bypass enabled, you would have to manually open a browser on the IOS device and browse to an HTTP page (like http://neverssl.com).

When you do so, it should redirect you to the ISE BYOD portal.

Arne Bier
VIP
VIP

Oh the wording in the IOX-XE GUI is probably not helpful. Does "Captive Bypass Portal" ticked mean that the CNA (Captive Networking Assistant from iOS) is being bypassed?  In other words, "Captive Portal bypass" ?  If so, then untick that. You don't want to bypass the iOS CNA.  The CNA is like a "mini browser" that the iOS uses for open ssid logins.  

If you bypass the CNA, then the user is not redirected automatically. They will have to trigger a manual re-direction by opening a browser to http://1.1.1.1/ or whatever. 

Ruben Cocheno
Spotlight
Spotlight

@JustTakeTheFirstStep 

if Bypass the CNA, you will need to trigger a manual redirect browsing a URL (e,g www.cocheno.com)

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Greg Gibbs
Cisco Employee
Cisco Employee

The Apple CNA causes many issues with portal flows like BYOD, so it's best practice to have the Captive Portal Bypass enabled and train your users to manually open a browser for the redirect.

With IOS, if you disable the bypass option on the SSID, you will likely get a message from the BYOD portal (served up from the CNA) stating that the browser is not supported.

@Arne Bier @Greg Gibbs @Ruben Cocheno 

2024-02-13 10 58 42.png

Adding gstatic.com to the URL Filter and attempting to access the internet from a Chrome browser redirects to the BYOD Portal.

The redirect to BYOD Portal succeeds regardless of whether Captive Portal Bypass is enabled/disabled on the controller.

IMG_4035.PNG

When press Start in the BYOD portal on a Chrome browser, show the message "This browser is not currently supported"

However, it does not redirect to the BYOD Portal in Safari browser.

What do I need to do?

@JustTakeTheFirstStep , the URLs defined in URL filter defines what traffic will be exempted from redirection. If you want the redirect to happen when the browser is directed to 'gstatic.com' then you would not want that defined in the URL filter.

The expected behaviour (and what I see in my lab with my iPad [OS 17.2] and ISE 3.2 is the following:

  • With captive portal bypass disabled, the redirect happens and the ISE portal returns the error 'This browser is not currently supported'
  • With capture portal bypass enabled, after the initial SSID connection, the user must manually open a browser and input a URL that initiates the redirect (I use 'http://neverssl.com' as HTTPS redirects can be problematic). At that point the redirect happens and the BYOD enrolment flow can be followed.

@Greg Gibbs 

Removed gstatic.com from the URL filter.

2024-02-13 14 26 04.png

Wich Captive portal bypass disabled,

not automatically ridirected. manually opened the browser and entered the URL to start the redirect. show the message "This browser is not currently supported"

Wich Captive portal bypass enabled,

manually opened the browser and entered the URL to start the redirect. show the message "This browser is not currently supported"

I can't replicate this issue in my lab (which is using an AireOS WLC). You might need to open a TAC case to investigate in more detail.

Arne Bier
VIP
VIP

Oh yes of course. This is BYOD and not Guest Portals. Not a pretty workflow for iOS then.