cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7405
Views
25
Helpful
8
Replies

ISE 2.7 Guest portal Issue for apple devices

Pat Pouna
Level 1
Level 1

Team - we are having issue with our guest ISE portal for apple devices.
Once the device passes successfully captive portal authentication, the cancel button on the top right does not change to Done.

When we change our redirect ACL to permit all, it works fine.
So was wondering if we need to edit the ACL to enable successful communication with the apple servers.
Is there a way to bypass that ? We tried to check the "Captive Bypass Portal" box in WebAuth parameters, but this was bypassing the whole captive portal with no way to enter the guest credential.

 

Cisco Catalyst 9800-40 WLC
16.12.4a

ISE v 2.7.0.356, Patch 2, PID SNS-3595-K9

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

Limited troubleshooting information was provided.

Looks like the community has run out of suggestions.

Please call TAC for proper troubleshooting.

 

View solution in original post

8 Replies 8

Arne Bier
VIP
VIP

what does your intended 9800 Redirect ACL look like? Is it a FlexACL, or a regular ACL?

 

In general, if it's not FlexACL, then the logic of the 9800 Redirect ACL should be to allow only DNS and traffic to ISE PSN portal, and cause a redirect for web traffic. The logic (wording) of the 9800 ACL is misleading - deny means 'permit' and allow means 'redirect'. DHCP is allowed implicitly and doesn't need to be included in the ACL:

 

deny DNS

deny ISE PSN_IP TCP port 8443

permit TCP port 80

permit TCP port 443

 

 

Pat Pouna
Level 1
Level 1

It is a regular ACL. I do have the deny DNS and deny PSN_IPs but missing redirect for http and https. Will need to add that then and test it.

Thanks 

Pat Pouna
Level 1
Level 1

That did not work.

The ACL was working just fine on 5500 WLC but seems like we need more readjustments  on 9800 WLC.

 

Tried 3 different ACL scenarios on 9800 WLC:

 

1 -

deny any any 

Works great for all devices

 

2 -

deny DNS

deny PSN IPs

permit any any

Devices can't get an IP from the DHCP server

 

 

deny DNS

deny bootpc

deny bootps

deny PSN IPs

permit any any

Works great for windows devices, but apple devices gets stuck after passing successfully captive portal authentication, the cancel button on the top right does not change to Done. If you leave the captive portal page, you get disconnected.

thomas
Cisco Employee
Cisco Employee

Limited troubleshooting information was provided.

Looks like the community has run out of suggestions.

Please call TAC for proper troubleshooting.

 

Hannes_Weber
Level 1
Level 1

Hi,

 

I'm currently having the same problem.

With a new C9800 and the ISE 2.7 we get the redirect for Android and Windows devices, but Apple devices don't work.

Was this ever solved by?

 

(With the same ISE and and the old WISM modules, the redirect works fine for Apple devices)

Xeladona
Level 1
Level 1

Hi Pat,

did you solve your issue?

regards

 

I believe I ended up using below ACL on the WLC side just like Arne Bier advised:

 

deny any any udp eq domain
deny any any udp eq domain

deny any PSN ip
deny PSN any ip

permit any any ip

 

I would suggest to focus a bit more on the iOS Captive Network Assistant (CNA) feature for further troubleshooting.
If I remember right, you might want to make sure Captive Portal Bypassing is not enabled in you WLC global settings. The CNA on apple devices may break when redirecting to an ISE captive portal if it is on.
Basically, when a user try to access a web page, the CNA detects the presence of the ISE Guest Portal.
This request is directed to http://www.apple.com/library/test/success.html for Apple iOS version 6 and older, and to several possible target URLs for Apple iOS version 7 and later.If a response is received, then the Internet access is assumed to be available and no further interaction is required.
If no response is received, then the Internet access is assumed to be blocked by the captive portal.

frost_michael
Level 1
Level 1

late reply, but did you try reloading the page on the apple device? I found apple device captive portals would not change to Done, I had to script an auto reload on the page after a few seconds, that made it change.