Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1353
Views
5
Helpful
3
Replies

ISE 1.4 and Apple's "Captive Network Assistant" causing problems

Go to solution
Eric Hansen
Level 1
Level 1

‎06-17-2015 09:49 AM - edited ‎03-10-2019 10:49 PM

I'm testing ISE 1.4 with MAC 10.10.2/Safari 8.0.3, and the annoying scaled down Safari AKA "Captive Network Assistant" is getting in the way.  I'm wondering what other people have done to get around it.

 

According to the Cisco ISE Network Component Compatibility v1.4 the Safari I have should be compatible, Captive Network Assistant says that its not but I suspect that its because the MAC laptop is trying to validate against ~200 domains(so I hear it does).  My ISE/WLC have a dacl that permits certain IP's prior to AuthC/Z completing and obviously I can't put in dacls for all 200 of these domains.  My ISE is setup with the trustsec model where I have two SSID's, first one on the front end to detect if Anyconnect 4.x is installed and if it isnt then redirect to a portal.  The MAC fails the device security check cause... or i should say wont display it... cause of Apple's Captive Network Assistant.

 

I do know that I can disable the Captive Network Assistant by renaming its file, but this will probably not be an acceptable solution in my environment because of political reasons.  I am wondering what others have done to get around this annoying problem.  Maybe something with a DNS record or something...

 

thanks

e-

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎06-17-2015 01:23 PM

Common recommendation is to cheat the apple devices to think it has internet access, by issuing this command on the command line of your WLC :

 

config network web-auth captive-bypass enable

View solution in original post

3 Replies 3

Go to solution
jan.nielsen
Level 7
Level 7

‎06-17-2015 01:23 PM

Common recommendation is to cheat the apple devices to think it has internet access, by issuing this command on the command line of your WLC :

 

config network web-auth captive-bypass enable

Go to solution
Eric Hansen
Level 1
Level 1
In response to jan.nielsen

‎06-18-2015 09:40 AM

Actually I am planning on putting in that very command tonight after the bulk of my users go home, restart required.  I'll report back.

 

**EDIT: worked great!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jan.nielsen

‎06-25-2015 07:11 PM

Had the same issue just this week - TAC recommended that as well.

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents