Recently I got a problem where several of my client's iPhones are unable to connect to SSID with Captive Portal. The popup said that the iPhone unable to connect to the SSID. Here is the condition:
1. My client's iPhone is given by their company. I do not know what kind of security setting that was applied to the phone.
2. The SSID is a guest network using captive portal with no Pre-Shared Key.
3. The captive portal is using ISE's CWA.
So I tried some troubleshooting. I modified the SSID by adding the PSK, but the user still has to accept T&C on the captive portal. The iPhone still could not connect with different error notification this time. The popup said that the password is wrong, but when I tried with another phone to connect to the SSID, it connected. So I remove the captive portal setting, this time only using PSK, the iPhone connected to the SSID.
I have 2 wild guesses regarding this:
1. Is captive portal information is added to the beacon when the AP broadcasting the SSID? Because the iPhones acted strangely when connecting to SSID with captive portals, but not to SSID with PSK only.
2. Does iPhone with a certain security setting need to check to a certain IP address first before able to connect to an SSID? Because the captive portal setting is blocking every access but to the DHCP server and ISE.
Is any of my guess is right? Or is there something else happens on the background. Thank you.
Have you investigated the ISE Radius Logs for both of the devices - Wondering if you have multiple Policies and one Phone is hitting one whilst the other is hitting a different one?
The log was not even on the ISE, so I'm not sure if the phone got blocked by one of my rules. Did not check the log on WLC though.
I would perform another test. Create a new SSID and use a generic pass through portal on the controller, not in ISE and see if that works. If it doesn’t work and other iPhones work, it can be that the company is blocking the use of guest wireless with portal page. I know some companies that do this for laptops.
Will do if I got the chance in the future. Kinda curious regarding this one.
Do you know what is being checked by endpoint to reject captive portal? Is captive portal information broadcasted by AP?