This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am running a ISE 1.1.1 trial and have setup most AuthC/Z policies mainly following the BYOD Design Guide at Design Zone. I have also been refering to the Trustsec 2.1 guides as well.
The problem I have is that when an iPAD connects to the On-boarding SSID.
At the moment, the iPAD correctly notices that web-auth is required and brings up the mini-webbrowser. This brings up the Cisco ISE Guest portal.
After login, I can register the device.
ISE has been configured to deploy a Native supplicant for the iPAD to deploy a profile to configure the device to use the Corp SSID and EAP-TLS. ISE has been correctly configured to connect to a 2008 R2 SCEP/NDES standalone install. The relevant certs are trusted in ISE (Including EAP-TLS auth).
However, this is where things go wrong. Once I register the device, the next stage is for a mobile profile to be pushed to the device. This does happen, but the problem is that it appears "behind" the mini-webbrowser used to perform the web login.
The issue is that when I press cancel on the mini-webbrowser to get to the profile install dialog, the iPAD appears to disconnect from the wifi network. This is a big problem as the certificate enrollment can't happen anymore.
Has anyone else had this issue?
Can you post a screenshot of what you are seeing.
*Please rate helpful posts*
Not really. Wouldn't be captured in a screen shot.
Essentially the Profile wizard on the iPAD gets hidden behind the auto-login mini-webbrowser that the iPAD uses to get guest login.
The problem then is that I can't continue the profile NSP stage of the process.
I had also this problem with "hidden" windows on iPhone and iPads.
For me the problem was fixed by implementing the captive portal bypass on the WLC controller:
config network web-auth captive-bypass
(small disadvantage: you don't fall automatically on the logon page. You need to open the browser yourself and got to google for example to get redirected)
Just try it...
We were having the same problem initially. Have you enabled the captive portal bypass on the wireless controllers?
config network web-auth captive-bypass enable
This spoofs the iPad into thinking there is no login portal and that it has internet access and therefore it doesn't open the mini browser. Then you can launch Safari and it will work fine. I did have an issue with a user that was trying to use Chrome on their iPad and it wouldn't work with ISE.
Please review the below link for assistance on onboarding of ISE which might be helpful: