cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1658
Views
0
Helpful
7
Replies

mini-browser cannot popup automatically in MacOS(Aruba+ISE)

yongwli
Cisco Employee
Cisco Employee

Hi Experts,

We are doing guest portal testing, ISE need to work with Aruba wireless. After done configuration, we found mini-browser cannot popup automatically in MacOS. If we launch browser manually, it can redirect to ISE guest portal and login guest network.

I did wireshark traffic capture, found Aruba redirect MacOS request correctly, but mini browser cannot popup automatically.

It looks like because ISE is using private certificate, but not sure mini-browser require public certificate or not.

Does anyone done this test before? do we support mini-browser popup automatically and any suggestion?

Thanks

DL

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Aruba maybe suppressing this mini-browser. This is up to the controller and not something configurable on ISE. ISE only sends down an named ACL.

ISE supports the minibrowser if it pops up since ISE 2.2

Perhaps CNA bypass is enabled on the aruba side?

http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-config-on-Aruba-is-needed-to-Bypass-Apple-Captive-Network/ta-p/170040

View solution in original post

7 Replies 7

Jason Kunst
Cisco Employee
Cisco Employee

Aruba maybe suppressing this mini-browser. This is up to the controller and not something configurable on ISE. ISE only sends down an named ACL.

ISE supports the minibrowser if it pops up since ISE 2.2

Perhaps CNA bypass is enabled on the aruba side?

http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-config-on-Aruba-is-needed-to-Bypass-Apple-Captive-Network/ta-p/170040

CNA has been disabled in Aruba side, we found client cannot complete ssl handshake with ISE via mini-browser. If use other browser safari/firefox, it's OK. Comparing ssl server hello packets between two scenario, did not find Aruba modified ssl packets.

Assuming you’re using ISE 2.2?

I have used self-signed certs with mini browser and guest and worked fine on apple ios but haven’t tried my MAC recently

I would suggest to move forward with TAC case to further troubleshoot.

Hi Jason,

Did you use Aruba WLC in your test? If yes, do you have configuration for reference? and what version?

Thanks

DL

No, please work with the tac and Aruba team

Yeah, this is obviously well documented at this point.  ISE authentication that invokes Apple CNA has been broken on all versions of ISE, to include 2.2, 2.3, and 2.4.  Closing the CNA popup (AKA mini-browser) and opening Safari or another browser on iOS devices will allow for successful onboarding / login experiences.  This appears to have begun to be an issue around iOS 11.3 - 11.6 and remains an issue all the way to iOS 12.  Several bug IDs have been generated over the last year without a "fixed-in" release to date.  All work-arounds to date are related to making changes to suppress the Apple CNA trigger on the users' iOS devices, which is obviously not viable on guest and large venue environments.  We have been able to reproduce this, with Cisco ISE engineers onsite, both on ISE 2.3 patch 5 and ISE 2.4 patch 3.  I should add, the break appears to be on the Apple CNA side, but the ownership for driving Apple to a fix also fall on Cisco, given the Apple/Cisco advertised enterprise relationship that both companies tout.  I am sure they will work this out, but being that it has been a year, things aren't looking satisfactory for either company's efforts.

Please make sure customers also escalate thru Apple. Will push through from Cisco side