09-14-2017 01:22 AM
Hi Experts,
We are doing guest portal testing, ISE need to work with Aruba wireless. After done configuration, we found mini-browser cannot popup automatically in MacOS. If we launch browser manually, it can redirect to ISE guest portal and login guest network.
I did wireshark traffic capture, found Aruba redirect MacOS request correctly, but mini browser cannot popup automatically.
It looks like because ISE is using private certificate, but not sure mini-browser require public certificate or not.
Does anyone done this test before? do we support mini-browser popup automatically and any suggestion?
Thanks
DL
Solved! Go to Solution.
09-14-2017 06:32 AM
Aruba maybe suppressing this mini-browser. This is up to the controller and not something configurable on ISE. ISE only sends down an named ACL.
ISE supports the minibrowser if it pops up since ISE 2.2
Perhaps CNA bypass is enabled on the aruba side?
http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-config-on-Aruba-is-needed-to-Bypass-Apple-Captive-Network/ta-p/170040
09-14-2017 06:32 AM
Aruba maybe suppressing this mini-browser. This is up to the controller and not something configurable on ISE. ISE only sends down an named ACL.
ISE supports the minibrowser if it pops up since ISE 2.2
Perhaps CNA bypass is enabled on the aruba side?
http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-config-on-Aruba-is-needed-to-Bypass-Apple-Captive-Network/ta-p/170040
09-14-2017 08:01 AM
CNA has been disabled in Aruba side, we found client cannot complete ssl handshake with ISE via mini-browser. If use other browser safari/firefox, it's OK. Comparing ssl server hello packets between two scenario, did not find Aruba modified ssl packets.
09-14-2017 04:29 PM
Assuming you’re using ISE 2.2?
I have used self-signed certs with mini browser and guest and worked fine on apple ios but haven’t tried my MAC recently
I would suggest to move forward with TAC case to further troubleshoot.
09-18-2017 03:49 AM
Hi Jason,
Did you use Aruba WLC in your test? If yes, do you have configuration for reference? and what version?
Thanks
DL
09-18-2017 09:42 AM
No, please work with the tac and Aruba team
10-02-2018 05:49 AM - edited 10-02-2018 05:53 AM
Yeah, this is obviously well documented at this point. ISE authentication that invokes Apple CNA has been broken on all versions of ISE, to include 2.2, 2.3, and 2.4. Closing the CNA popup (AKA mini-browser) and opening Safari or another browser on iOS devices will allow for successful onboarding / login experiences. This appears to have begun to be an issue around iOS 11.3 - 11.6 and remains an issue all the way to iOS 12. Several bug IDs have been generated over the last year without a "fixed-in" release to date. All work-arounds to date are related to making changes to suppress the Apple CNA trigger on the users' iOS devices, which is obviously not viable on guest and large venue environments. We have been able to reproduce this, with Cisco ISE engineers onsite, both on ISE 2.3 patch 5 and ISE 2.4 patch 3. I should add, the break appears to be on the Apple CNA side, but the ownership for driving Apple to a fix also fall on Cisco, given the Apple/Cisco advertised enterprise relationship that both companies tout. I am sure they will work this out, but being that it has been a year, things aren't looking satisfactory for either company's efforts.
10-02-2018 06:12 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide