cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2177
Views
0
Helpful
9
Replies

iOS Devices won´t redirect to ISE 2.6 Guest Portal

heleros
Level 1
Level 1

It´s a new Deployment with 9800-CL and ISE 2.6 with 3 Guest Portals.

If Windows and Android connect to a open SSID they will get a Push Notification to Login, but certain Apple Device won´t get a Push Notification and it´s not working.

I captured the traffic from WLC to Apple Device an i see:

pcap-redirect.png

So it is able to communicate to captive.apple.com

I followed that Guide https://community.cisco.com/t5/security-documents/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060

My Redirect ACL:

ip access-list extended Redirect
1 deny udp any any range bootps bootpc log
2 deny udp any range bootps bootpc any log
10 deny udp any any eq domain
20 deny udp any eq domain any
30 deny tcp any host 10.2.0.1 range 8443 8447 log
40 deny ip host 10.2.0.1 any log
50 permit ip any any

 

Is my ACL not correct ?

9 Replies 9

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Not sure about your overall setup, but take a look at this guide to ensure the proper configs have been done.

 

Regards,

Cristian Matei.

I followed your guide but it´s no BYOD setup it´s just a open SSID where devices can connect and have to accept terms or to login for free Wifi

Hi,

 

   That link was more to inform you on possible issues with Apple Captive Network Assistant. Now, can you try and change the REDIRECT ACL as follows:

 

ip access-list extended Redirect

10 deny udp any eq bootpc any eq bootps 

20 deny udp any eq bootps any eq bootpc

30 deny udp any any eq domain

40 deny udp any eq domain any

50 deny tcp any host 10.2.0.1 range 8443 8447

60 deny tcp host 10.2.01 range 8443 8447 any

70 permit tcp any any eq 80

80 permit tcp any any eq 443

 

Regards,

Cristian Matei.

ok thanks, i changed my ACL and will test it.

ammahend
VIP
VIP

Under webauth parameter, can you confirm if captive bypass portal is checked or unchecked ?

-hope this helps-

It´s definitely unchecked in global map and not mapped in wlan policy.

one more check.

The Apple psuedo-browser will not open if you configure only the ip http secure-server command. You should also configure the ip http server command. So make sure both are configured.

-hope this helps-

ip http server and ip http secure-server is configured

heleros
Level 1
Level 1
So the solution of the TAC was do delete the 80 permit tcp any any eq 443 line.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: