When Apple CNA is activated the ISE BYOD cannot be completed due to limitation of the CNA browser. While WLC can be configured to suppress Apple CNA via ‘config network web-auth captive-bypass enable’, it enforces the feature controller-wide affecting all WLANs that the controller manages. This ended up forcing customers to choose between supporting ISE BYOD or guest with Apple CNA enabled. This document describes few options in terms of dealing with Apple CNA issue when using both ISE guest and BYOD on the same wireless controller.
WLC controller-wide captive-bypass
From the WLC CLI, run ‘config network web-auth captive-bypass enable’, then save & reset the controller
8.4 and above, from the WLC GUI, go to the CONTROLLER > General, select 'Enabled' for Captive Network Assistant Bypass (Requires WLC reload)
Works with all versions of WLC & ISE including Converged Access
Requires controller reset after the command
The setting applies controller wide; if the controller is servicing both guest and BYOD WLAN, then CNA browser will be suppressed for both WLANs
Create separate redirect ACL for BYOD portal and Guest portal on the WLC. Only difference is that BYOD ACL allows access to ‘captive.apple.com’ in the DNS ACL while guest portal doesn’t. When the clients connect to BYOD WLAN, the Apple CNA is suppressed thinking it is on the Internet as it can reach the captive.apple.com and gets proper response.
Can be enabled per ISE portal
Works with all versions of ISE
Requires WLC 7.6+ for DNS-ACL feature; also dependent upon the AP model and AP/WLAN mode for DNS-ACL feature to work.
FlexConnect local switching utilizes FlexConnect ACL which support DNS-ACL starting with 8.7.
Not supported with Anchored WLAN
Occasionally few users may still get Apple CNA on BYOD WLAN
Does not work with converged access
Separate Auto-Anchor WLAN
If BYOD WLAN is only on foreign, and the guest WLAN is being auto-anchored to the DMZ controller. One can enable controller wide captive bypass on the foreign, while disabling it on the anchor controller. This allows the guest to leverage the Apple CNA, while it is suppressed for any of the foreign managed WLAN including BYOD WLAN.
Can be enabled per WLAN
Can use any version of WLC or ISE
Requires separate controller which supports anchoring; vWLC does not support anchoring
Requires controller reset for the foreign to take affect
Hi, I am trying to set up a site to site VPN for one of our client with palo alto. However VPN phase 1 is not coming up and when I ran debug I am getting NO_PROPOSAL_CHOOSEN error even though both side are configured poperly setup is like b...
Remote Site - to HQ - Redundant ISPHello,I have am having an issue with a remote site redundant IPSEC tunnel config. When the remote site is on the primary IPSEC tunnel, the traffic from Host A to Host B is successful. When the primary link fails, t...
Hi everyone, I encounter a problem that really strange and tried different ways can't solve the ASA 5515 9.1 not able to allow traffic from inside to outside.Any suggest much appreciated. Keith Here is the sanitized config:asa# sh run: Saved:ASA Vers...
Is this considered a major upgrade or minor? I need to upgrade my Active / Standby Failover pair with 0 downtime. I will upgrade standby and reboot, when it comes up with 9.9 code, will it break the failover with 9.8(4)3 or stay in failover with erro...
Hi all,I'm working on setting up an IKEv2/IPSec VPN tunnel from an FTD (6.2) managed by FMC to Azure. The tunnel is up and icmp is working fine but our server engineer is reporting issues with RDP and domain controller replication.We're wondering if...