When Apple CNA is activated the ISE BYOD cannot be completed due to limitation of the CNA browser. While WLC can be configured to suppress Apple CNA via ‘config network web-auth captive-bypass enable’, it enforces the feature controller-wide affecting all WLANs that the controller manages. This ended up forcing customers to choose between supporting ISE BYOD or guest with Apple CNA enabled. This document describes few options in terms of dealing with Apple CNA issue when using both ISE guest and BYOD on the same wireless controller.
WLC controller-wide captive-bypass
From the WLC CLI, run ‘config network web-auth captive-bypass enable’, then save & reset the controller
8.4 and above, from the WLC GUI, go to the CONTROLLER > General, select 'Enabled' for Captive Network Assistant Bypass (Requires WLC reload)
Works with all versions of WLC & ISE including Converged Access
Requires controller reset after the command
The setting applies controller wide; if the controller is servicing both guest and BYOD WLAN, then CNA browser will be suppressed for both WLANs
Create separate redirect ACL for BYOD portal and Guest portal on the WLC. Only difference is that BYOD ACL allows access to ‘captive.apple.com’ in the DNS ACL while guest portal doesn’t. When the clients connect to BYOD WLAN, the Apple CNA is suppressed thinking it is on the Internet as it can reach the captive.apple.com and gets proper response.
Can be enabled per ISE portal
Works with all versions of ISE
Requires WLC 7.6+ for DNS-ACL feature; also dependent upon the AP model and AP/WLAN mode for DNS-ACL feature to work.
FlexConnect local switching utilizes FlexConnect ACL which support DNS-ACL starting with 8.7.
Not supported with Anchored WLAN
Occasionally few users may still get Apple CNA on BYOD WLAN
Does not work with converged access
Separate Auto-Anchor WLAN
If BYOD WLAN is only on foreign, and the guest WLAN is being auto-anchored to the DMZ controller. One can enable controller wide captive bypass on the foreign, while disabling it on the anchor controller. This allows the guest to leverage the Apple CNA, while it is suppressed for any of the foreign managed WLAN including BYOD WLAN.
Can be enabled per WLAN
Can use any version of WLC or ISE
Requires separate controller which supports anchoring; vWLC does not support anchoring
Requires controller reset for the foreign to take affect
Spoiler (Highlight to read)Hello everyone!I would like to know if OpenDNS can block command and control from a ransomware atack as Umbrella.Thanks!Hello everyone!I would like to know if OpenDNS can block command and control from a ransomware atack as Umbr...
I was on the fence if this should go in to the ISE category or WSA, but because it's platform specific to the WSA I settled on here.
I wondering what is the maximum number of IP-SGT bindings the WSA platforms can support. I have a customer that has an exi...
So I bought a 5506-X for my home to practice with a lot of equipment like a 3560-8pc, WLC2504 and 2 2702 access points. It's a huge project for a starter but I already hit a bump in the road. I got my ISP to bridge the cable modem so I can receive th...
Hi all, fairly new to Cisco and on an ISR4431 there is an aaa group named flex_aaa and i cannot find the correct command to see what users are in here and also to add a user to that specific group ? anyone point me in the right direction ?Thanks...