01-08-2021 09:05 AM
Team - we are having issue with our guest ISE portal for apple devices.
Once the device passes successfully captive portal authentication, the cancel button on the top right does not change to Done.
When we change our redirect ACL to permit all, it works fine.
So was wondering if we need to edit the ACL to enable successful communication with the apple servers.
Is there a way to bypass that ? We tried to check the "Captive Bypass Portal" box in WebAuth parameters, but this was bypassing the whole captive portal with no way to enter the guest credential.
Cisco Catalyst 9800-40 WLC
16.12.4a
ISE v 2.7.0.356, Patch 2, PID SNS-3595-K9
Solved! Go to Solution.
01-26-2021 02:05 PM
Limited troubleshooting information was provided.
Looks like the community has run out of suggestions.
Please call TAC for proper troubleshooting.
01-10-2021 02:04 PM
what does your intended 9800 Redirect ACL look like? Is it a FlexACL, or a regular ACL?
In general, if it's not FlexACL, then the logic of the 9800 Redirect ACL should be to allow only DNS and traffic to ISE PSN portal, and cause a redirect for web traffic. The logic (wording) of the 9800 ACL is misleading - deny means 'permit' and allow means 'redirect'. DHCP is allowed implicitly and doesn't need to be included in the ACL:
deny DNS
deny ISE PSN_IP TCP port 8443
permit TCP port 80
permit TCP port 443
01-11-2021 08:19 AM
It is a regular ACL. I do have the deny DNS and deny PSN_IPs but missing redirect for http and https. Will need to add that then and test it.
Thanks
01-12-2021 07:43 AM
That did not work.
The ACL was working just fine on 5500 WLC but seems like we need more readjustments on 9800 WLC.
Tried 3 different ACL scenarios on 9800 WLC:
1 -
deny any any
Works great for all devices
2 -
deny DNS
deny PSN IPs
permit any any
Devices can't get an IP from the DHCP server
3
deny DNS
deny bootpc
deny bootps
deny PSN IPs
permit any any
Works great for windows devices, but apple devices gets stuck after passing successfully captive portal authentication, the cancel button on the top right does not change to Done. If you leave the captive portal page, you get disconnected.
01-26-2021 02:05 PM
Limited troubleshooting information was provided.
Looks like the community has run out of suggestions.
Please call TAC for proper troubleshooting.
05-26-2021 06:03 AM
Hi,
I'm currently having the same problem.
With a new C9800 and the ISE 2.7 we get the redirect for Android and Windows devices, but Apple devices don't work.
Was this ever solved by?
(With the same ISE and and the old WISM modules, the redirect works fine for Apple devices)
10-11-2021 01:23 AM
Hi Pat,
did you solve your issue?
regards
10-19-2021 09:57 AM
I believe I ended up using below ACL on the WLC side just like Arne Bier advised:
deny any any udp eq domain
deny any any udp eq domain
deny any PSN ip
deny PSN any ip
permit any any ip
I would suggest to focus a bit more on the iOS Captive Network Assistant (CNA) feature for further troubleshooting.
If I remember right, you might want to make sure Captive Portal Bypassing is not enabled in you WLC global settings. The CNA on apple devices may break when redirecting to an ISE captive portal if it is on.
Basically, when a user try to access a web page, the CNA detects the presence of the ISE Guest Portal.
This request is directed to http://www.apple.com/library/test/success.html for Apple iOS version 6 and older, and to several possible target URLs for Apple iOS version 7 and later.If a response is received, then the Internet access is assumed to be available and no further interaction is required.
If no response is received, then the Internet access is assumed to be blocked by the captive portal.
06-24-2022 04:56 PM
late reply, but did you try reloading the page on the apple device? I found apple device captive portals would not change to Done, I had to script an auto reload on the page after a few seconds, that made it change.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide