Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5521
Views
0
Helpful
2
Replies

ISE guestaccess - Android/iPad problem

Mikael Gustafsson
Level 5
Level 5

‎10-24-2012 11:49 PM - edited ‎03-10-2019 07:43 PM

Hi all,

I have a guestaccess using CWA on ISE 1.1.1 and WLC 7.2

The setup is realy simple with redirect ACL to ISE and after that an permit-all ACL.

Guest users are on a guest vlan and go thru a ASA to talk to DHCP, DNS and ISE.

When I try to connect with laptops, Windows 7, OSX 10.7 and 10.8, it works like it a charm.

The user gets redirected, put in credentials and after that get on the network. Not one problem out of maybe 30 tests.

But when I try smartphones and iPad it doesent work that well...

With iPhones, iOS5 and iOS 6 tested on three diffrent phones, I get access 19/20 times.

With iPad, only one with iOS 5.1, I get access maybe 50% of the tries

And with Android, two HTC with 2.3.7 and 2.3.3, I got one logon to the guest network out of 25 or more tries.

What happends when I try to access the network with a problem device is that it gets a redirect url but states,

on Android 'Web page not available' and on iPAD '..could not open page because it could not connect ot server.

On all these devices I can see that I have a DHCP lease with IP address and DNS. I have rebooted all devices several times and I have used 'forget this network' on the diveces.

I have also tried to removed the clients from the WLC and I have tried to turn off/on the WLAN on the WLC.

Could this be a WLC problem? I did a simple TCP dump on the ISE server but did not see any packets. (Need to do this one again..)

Anyone with some insight on guestaccess and mobile devices? :-)

Message was edited by: Mikael Gustafsson

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎10-25-2012 10:37 PM

Hi,

Can you check the mac address table of the switch and see if the mac address is present and is leaving the controller? Also are using flexconnect or central switching for your clients?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

vikasyad
Level 1
Level 1

‎05-23-2013 11:55 PM

While authenticating  the guest through wireless  its very important to check all the compatibility issues of the client  with the NAC(Switch/WLC) device and ISE.Please check the below  compatibitility matrix link along with some other links for assistance  on your queries:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_40_webauthentication_dg.pdf

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

0 Helpful
Customers Also Viewed These Support Documents