Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5799
Views
5
Helpful
18
Replies

ISE 2.2 and Meraki Deployment - CNA Apple Issues

Go to solution
creviscrevis
Level 1
Level 1

‎08-29-2017 04:32 AM

Hi folks,

We have some issues with CNA Apple in ISE 2.2  and Meraki deployment . I read that is supported in this ISE  version, but didn´t working. To access guest redirection page i need open the browser manually , Another import information is that with Android devices working good.

Could you please help me ?

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-29-2017 05:44 AM

With traditional wireless controllers we spoofed apples response so the mini browser wouldn't pop up

This was the captive portal bypass feature

To get it to pop we disabled captive portal bypass

This is not something that ise can control, ise is supported to work with the mini browser when it does display , we don't have any control over wether it pops up or not

Please work with meraki team to troubleshoot if they have a suppression capability

View solution in original post

0 Helpful
18 Replies 18

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-29-2017 05:44 AM

With traditional wireless controllers we spoofed apples response so the mini browser wouldn't pop up

This was the captive portal bypass feature

To get it to pop we disabled captive portal bypass

This is not something that ise can control, ise is supported to work with the mini browser when it does display , we don't have any control over wether it pops up or not

Please work with meraki team to troubleshoot if they have a suppression capability

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-29-2017 05:50 AM

Recommend trying a traditional splash page from meraki as well to see what happens

0 Helpful

Go to solution
creviscrevis
Level 1
Level 1
In response to Jason Kunst

‎08-29-2017 08:00 AM

Hi Jason

I tested with Splash Page with Facebook Authentication and works fine !

tks

Preview file
2 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to creviscrevis

‎08-29-2017 08:03 AM

OK I would recommend moving forward with the TAC, please let us know

0 Helpful

Go to solution
samye
Cisco Employee
Cisco Employee

‎10-10-2017 07:34 AM

hi Cleverson:

   are there any update from you? I meet the same issue

   does meraki give you answer on it?

tks a lot

0 Helpful

Go to solution
creviscrevis
Level 1
Level 1
In response to samye

‎10-10-2017 07:44 AM

Hi,

No , same issue is happening....

Preview file
2 KB
0 Helpful

Go to solution
samye
Cisco Employee
Cisco Employee
In response to creviscrevis

‎10-10-2017 05:08 PM

Tks, any information from meraki?

0 Helpful

Go to solution
foozed
Level 1
Level 1

‎11-08-2017 04:05 AM

I've been struggling with a very similar issue for months as well.

My issue is slightly different where the captive portal opens sometimes, but most of the time will open, then abruptly close, open again long enough for a web redirection, authentication, and then abruptly close again with no success or redirect with a wlan disconnect.

I've opened tickets with Meraki, and they point a finger at Cisco.

I open tickets with Cisco TAC, and they point a finger at Meraki.

I don't believe it to be an ISE issue either, but the folks at Meraki don't appear to have as well an organized TAC/troubleshooting method as Cisco do unfortunately.

I cannot get anywhere with it.. I've asked my Cisco AM multiple times to get both Meraki and Cisco on the phone together to troubleshoot to no avail.

I am no longer an Enterprise customer with Cisco so I do not have a dedicated SE.

Someone who is having this issue (who is an Enterprise customer) needs to get their SE to organize a meeting with both groups to determine with certainty where the root cause is, and what can be done to address it (if anything).

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to foozed

‎11-08-2017 04:18 AM

If you’re using hotspot portal on ISE 2.2 make sure the option under portal setting is set to reauth and not disconnect for coa

0 Helpful

Go to solution
Richard Wakefield
Level 1
Level 1
In response to foozed

‎06-21-2018 06:42 PM

I have this mocked up in my lab.

-2504 Running 8.3, MAB, AAA override and ISE NAC. I get the pop up, enter creds, and are redirected to the success page and it works fine on IOS, MACOS, Windows.

-Meraki MR32, MAB, ISE for Radius and "Use ISE for splash page". My IOS devices get the pop up, enter creds, and get a 400 Error. Works fine on Windows and MACOS.

So, I tried this:

-Meraki MR32, MAB, ISE for Radius and "Use ISE for splash page". Added 17.0.0.0/8 into the walled garden list (nslookup on apple.com), and the CNA browser did not pop up. I opened a browser manually (fail, default was https://www.google.com), went to a http (no s) site, my Splash page came up, enter creds, and logged in just fine.

Sounds like the ISE CNA is working fine since it worked great with a Cisco WLC, but whatever Meraki is doing in the middle is breaking it.

Same exact Results policy all along.

Anybody else ever get this figured out?

Seems this is a common issue:

https://community.meraki.com/t5/Wireless-LAN/Apple-CNA-didn-t-popup-in-Meraki-integrated-with-ISE/td-p/10483

https://community.meraki.com/t5/Wireless-LAN/Cisco-ISE-2-2-for-Guest-amp-BYOD-issues-with-Apple-IOS-devices/m-p/10777/highlight/false#M1811

0 Helpful

Go to solution
Chris Johnson
Level 1
Level 1
In response to Richard Wakefield

‎06-21-2018 07:48 PM

Richard,

I definitely am still dealing with having to enter http only, but since I posted in another thread about the "fix" which only makes it less frequent for us, one of my branch offices has been reporting issues even going to just http. I don't see it hardly at all in my data center. I am running MR32s here and they run MR33. What ISE version are you running?

Go to solution
Richard Wakefield
Level 1
Level 1
In response to Chris Johnson

‎06-21-2018 07:56 PM

I've got 2.3 patch 4 in my lab, and it is an MR32 not a 34 as I said above. It all works great with my Cisco WLC running 8.3 MAB/RadiusNAC/AAAOverride, but having the above described issue with the MR32 with IOS (iphone and ipad running 11.4). MACOS and Windows are both totally happy...

0 Helpful

Go to solution
Chris Johnson
Level 1
Level 1
In response to Richard Wakefield

‎06-21-2018 08:22 PM

Gotcha, we are running pretty much the same setup then. I might spin up a virtual WLC trial and get an AP to test. If things stay this way I’d be able to sell the costs for sure if it meant better user experience. I’ve only got it deployed at my DC and one other office now, but if guest wireless deployment expands quickly, the voices will be louder.

Go to solution
Richard Wakefield
Level 1
Level 1
In response to Chris Johnson

‎06-21-2018 08:29 PM

I've got something like this, ISE Captive Portal of some flavor, running with Cisco WLCs at very large deployments (100,000 users and 10,000 APs, 60,000 users also 10,000 APs, etc.) and the first time I hit this problem was when I tried to recreate the same type of Captive Portal with a Meraki MR32... Unfortunately people seem to have been having these issues for at least 8 months according to the forums and it's still not resolved. Some of the responses I saw were, "Why not just use Meraki for this instead of ISE, it does the same thing" which I categorically disagree with...

Hopefully somebody can step in and tell us, "Hey dumb guys, you forgot to check the checkbox X to make this work" and it'll fix it for us. But I'm not holding my breath.

0 Helpful
Customers Also Viewed These Support Documents