I'm attempting to set up a Dual-SSID flow on a test deployment of ISE. I initially tried a Single-SSID flow but ran into a chicken or the egg issue with Android and certificates (want to do a long private cert but then Android wants a public one for the initial PEAP connection and seems to be in the process of removing the "Do Not Validate" cert options).
I believe the Dual-SSID flow is working for Android now via signing in to a guest portal that only allows AD logins and then presents the BYOD pages to get the certificate onboarding done.
However, I'm running into issues with the iPad I'm testing and the CNA/mini browser.
I believe I have the ACLs set correctly on the 9800-CL.. the initial one is set up to trigger the redirect and then the second one should get switched to when it detects the Apple Mini Browser flow (deny ip any to 18.104.22.168 and then a permit ip any to any).
I found another solution that recommended using the ISE portal builder. I created a test portal, uploaded it to ISE, and set up the basic options. Testing this with my iPad gets stuck even earlier... I enter my credentials and then click Sign On and nothing happens. It never proceeds to the next page. ISE radius logs seem to show an active session with my username though.
I'm using ISE 3.1 with patch 5 currently and I've tried 15.7 and updating to 16.3 on my iPad.