cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1089
Views
5
Helpful
12
Replies

javascript to bind two guest portals into one experiencing problems on Apple Devices

umahar
Cisco Employee
Cisco Employee

Has anyone had any experience with binding two portals into one guest portal using javascript and faced issues on iPad/iPhone,MAC ? 

I have embedded the below script into the landing captive portal page which is a self registration guest portal.

There is a button embedded which when clicked redirects the user to a separate guest portal where users can authenticate using their AD credentials - kind of BYOD.

 

Initially the second portal which runs the BYOD guest portal ran on port 8455. If we make a change to move the second port to 8443 then that button does not work as expected eventually rendering it not-clickable. Windows work fine.

 

We are trying to troubleshoot at the browser level using developer tools but found no luck. It looks like the iOS does not like changing ports too often due to security reasons etc.  Its seen on Apple CNA, Safari and Chrome. Sometimes after rebooting, clearing cache issue goes away but comes back again.

 

If anyone experienced such behaviour I would appreciate some pointers or info on it.

 

Thanks

 

 

 

 

<script>

 

jQuery(window).ready(function() {

 

var hostname = window.location.hostname;

 

var WebSessionId = window.location.href.substr(window.location.href.search("\\?")).split("=")[2];

 

jQuery('.cisco-ise-body').append(' <center><a href="https://'+hostname+':8445/portal/PortalSetup.action?portal=bcdac262-a4b1-11e8-a7e6-0050569e539f&sessionId='+WebSessionId+'&action=cwa" style="color: rgb(0,255,0)"><font color="212121"><button type="submit"> Employee Login</button></font></a></center>');

 

});

 

</script><br _moz_editor_bogus_node="TRUE" />

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

You can also send them through BYOD another way. Disable BYOD on the guest portal. Have the user log in to the portal and then they are identified as part of a certain group. in your authorization rule if the group is equal to a BYOD group then redirect them to the BYOD (NSP) page for onboarding

Some examples

if MAB and guestendpointMACgroup permit access
if MAB and ADgroupX then redirect to NSP
if MAB and guestflow permit access
if MAB then redirect to guest portal

View solution in original post

Our scripting expert said the issue was investigated before & the result came back as Apple browser doesn't like port change. You may have to avoid port change & workaround.

 

- Krish

 

View solution in original post

12 REPLIES 12

paul
Advocate
Advocate

Did you check out this link:

 

https://community.cisco.com/t5/security-documents/ise-hotspot-portal-with-links-to-employee-or-vendor-portals/ta-p/3643513

 

Although, I saw at the bottom of the original thread someone said there was a problem with iPhones. 

 

Do you really need to send the AD users through a BYOD flow though?  Natively, the self-registration portal support AD login and the AD users are mapped to their own guest type.  So you have control of exactly what endpoint identity group their MACs get put into and how often you purge that group.

Of course the obvious questions - Why was the port changed? Can you stick with what works? I have come up empty so far as to what is the reason, as ISE doesn't really care what port is used. You need to base your decision on what works in your environment. I have requested our scripting expert to take a look. Stay tuned. 

 

 

I agree. Why is it necessary to change ports? If some browsers work and some don't then maybe there is another way to do it. We will ask the developers but this is something advanced that might be hard to support with this workaround. Would be go to get your needs to our Product managers through the sales channel as well

So we had a setup like below when I first came in.

 

Guest Portal - 8443

BYOD portal linked to Guest Portal - 8445

Sponsor Portal - 8445

 

All had same cert group - guest.

Now sponsor portal needed a separate port because it needs a separate cert as guest cert was lacking sponsor FQDN in its SAN.  I guess ISE has a limitation of not allowing different certs to portals running on same ports. 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva84197/?rfs=iqvred

 

Hence we needed to segregate the ports so that sponsor and guest portals each have their owns separate cert.

 

Yesterday we reverted the changes and moved BYOD portal back to 8445 and moved Sponsor portal to 8446 and is everything is working as expected. We maybe needed to improve the javascript.

 

Somehow Apple devices did not like the change any other port other than 8445 for BYOD.

 

You can also send them through BYOD another way. Disable BYOD on the guest portal. Have the user log in to the portal and then they are identified as part of a certain group. in your authorization rule if the group is equal to a BYOD group then redirect them to the BYOD (NSP) page for onboarding

Some examples

if MAB and guestendpointMACgroup permit access
if MAB and ADgroupX then redirect to NSP
if MAB and guestflow permit access
if MAB then redirect to guest portal

Jason thanks for the suggestion.
The design was already in place and agreed upon by previous engineers and hence out of my current scope.

umahar
Cisco Employee
Cisco Employee
We are using the same script in the link.
As I said in my previous post , questioning the design is out of my scope currently.

OK not sure how to help otherwise. I provided some information and you can provide that to them.

Thanks Jason. There was no time to troubleshoot it further and after reverting changes everything is working.
I have no idea why Apple dint like 8443 and windows/blackberry was absolutely working fine.
I tried to recreate the issue in my lab but couldn't and Apple devices respected all port changes.
Maybe the IOS in their environment dint like us changing ports and prevented going there due to some anti-phishing mechanism etc.

Our scripting expert said the issue was investigated before & the result came back as Apple browser doesn't like port change. You may have to avoid port change & workaround.

 

- Krish

 

Thanks - sorry for late response. I am not getting email notification for responses on this thread.

 

That's what we thought that Apple does not like port changes. 

Was your scripting expert able to find any documentation or guideline from Apple regarding this ?

 

No. This was investigated a year ago.

 

- Krish 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: