iPAD, ISE and Onboarding w/SCEP

geniesis · ‎09-05-2012

I am running a ISE 1.1.1 trial and have setup most AuthC/Z policies mainly following the BYOD Design Guide at Design Zone. I have also been refering to the Trustsec 2.1 guides as well.

The problem I have is that when an iPAD connects to the On-boarding SSID.

At the moment, the iPAD correctly notices that web-auth is required and brings up the mini-webbrowser. This brings up the Cisco ISE Guest portal.

After login, I can register the device.

ISE has been configured to deploy a Native supplicant for the iPAD to deploy a profile to configure the device to use the Corp SSID and EAP-TLS. ISE has been correctly configured to connect to a 2008 R2 SCEP/NDES standalone install. The relevant certs are trusted in ISE (Including EAP-TLS auth).

However, this is where things go wrong. Once I register the device, the next stage is for a mobile profile to be pushed to the device. This does happen, but the problem is that it appears "behind" the mini-webbrowser used to perform the web login.

The issue is that when I press cancel on the mini-webbrowser to get to the profile install dialog, the iPAD appears to disconnect from the wifi network. This is a big problem as the certificate enrollment can't happen anymore.

Has anyone else had this issue?

Tarik Admani · ‎09-05-2012

Can you post a screenshot of what you are seeing.

Thanks,

Tarik Admani
*Please rate helpful posts*

geniesis · ‎09-05-2012

Not really. Wouldn't be captured in a screen shot.

Essentially the Profile wizard on the iPAD gets hidden behind the auto-login mini-webbrowser that the iPAD uses to get guest login.

The problem then is that I can't continue the profile NSP stage of the process.

jeverard · ‎11-28-2012

did you ever find the fix for this issue. We are having the same trouble..

gnijs · ‎11-29-2012

I had also this problem with "hidden" windows on iPhone and iPads.

For me the problem was fixed by implementing the captive portal bypass on the WLC controller:

config network web-auth captive-bypass

(small disadvantage: you don't fall automatically on the logon page. You need to open the browser yourself and got to google for example to get redirected)

Just try it...

topher1086 · ‎11-29-2012

We were having the same problem initially. Have you enabled the captive portal bypass on the wireless controllers?

config network web-auth captive-bypass enable

This spoofs the iPad into thinking there is no login portal and that it has internet access and therefore it doesn't open the mini browser. Then you can launch Safari and it will work fine. I did have an issue with a user that was trying to use Chrome on their iPad and it wouldn't work with ISE.

jeverard · ‎11-29-2012

config network web-auth captive-bypass

Seems to fix the pop-up webpage problem... but others remain....

vikasyad · ‎05-22-2013

Please review the below link for assistance on onboarding of ISE which might be helpful:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_30_ise_profiling.pdf