cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
641
Views
0
Helpful
9
Replies
Highlighted
Beginner

iOS Devices won´t redirect to ISE 2.6 Guest Portal

It´s a new Deployment with 9800-CL and ISE 2.6 with 3 Guest Portals.

If Windows and Android connect to a open SSID they will get a Push Notification to Login, but certain Apple Device won´t get a Push Notification and it´s not working.

I captured the traffic from WLC to Apple Device an i see:

pcap-redirect.png

So it is able to communicate to captive.apple.com

I followed that Guide https://community.cisco.com/t5/security-documents/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060

My Redirect ACL:

ip access-list extended Redirect
1 deny udp any any range bootps bootpc log
2 deny udp any range bootps bootpc any log
10 deny udp any any eq domain
20 deny udp any eq domain any
30 deny tcp any host 10.2.0.1 range 8443 8447 log
40 deny ip host 10.2.0.1 any log
50 permit ip any any

 

Is my ACL not correct ?

9 REPLIES 9
Highlighted
Collaborator

Hi,

 

    Not sure about your overall setup, but take a look at this guide to ensure the proper configs have been done.

 

Regards,

Cristian Matei.

Highlighted

I followed your guide but it´s no BYOD setup it´s just a open SSID where devices can connect and have to accept terms or to login for free Wifi
Highlighted

Hi,

 

   That link was more to inform you on possible issues with Apple Captive Network Assistant. Now, can you try and change the REDIRECT ACL as follows:

 

ip access-list extended Redirect

10 deny udp any eq bootpc any eq bootps 

20 deny udp any eq bootps any eq bootpc

30 deny udp any any eq domain

40 deny udp any eq domain any

50 deny tcp any host 10.2.0.1 range 8443 8447

60 deny tcp host 10.2.01 range 8443 8447 any

70 permit tcp any any eq 80

80 permit tcp any any eq 443

 

Regards,

Cristian Matei.

Highlighted

ok thanks, i changed my ACL and will test it.
Highlighted
Contributor

Under webauth parameter, can you confirm if captive bypass portal is checked or unchecked ?

-Rate helpful posts-
Highlighted

It´s definitely unchecked in global map and not mapped in wlan policy.

Highlighted

one more check.

The Apple psuedo-browser will not open if you configure only the ip http secure-server command. You should also configure the ip http server command. So make sure both are configured.

-Rate helpful posts-
Highlighted

ip http server and ip http secure-server is configured
Highlighted
Beginner

So the solution of the TAC was do delete the 80 permit tcp any any eq 443 line.
Content for Community-Ad