When Apple CNA is activated the ISE BYOD cannot be completed due to limitation of the CNA browser. While WLC can be configured to suppress Apple CNA via ‘config network web-auth captive-bypass enable’, it enforces the feature controller-wide affecting all WLANs that the controller manages. This ended up forcing customers to choose between supporting ISE BYOD or guest with Apple CNA enabled. This document describes few options in terms of dealing with Apple CNA issue when using both ISE guest and BYOD on the same wireless controller.
WLC controller-wide captive-bypass
From the WLC CLI, run ‘config network web-auth captive-bypass enable’, then save & reset the controller
8.4 and above, from the WLC GUI, go to the CONTROLLER > General, select 'Enabled' for Captive Network Assistant Bypass (Requires WLC reload)
Works with all versions of WLC & ISE including Converged Access
Requires controller reset after the command
The setting applies controller wide; if the controller is servicing both guest and BYOD WLAN, then CNA browser will be suppressed for both WLANs
Create separate redirect ACL for BYOD portal and Guest portal on the WLC. Only difference is that BYOD ACL allows access to ‘captive.apple.com’ in the DNS ACL while guest portal doesn’t. When the clients connect to BYOD WLAN, the Apple CNA is suppressed thinking it is on the Internet as it can reach the captive.apple.com and gets proper response.
Can be enabled per ISE portal
Works with all versions of ISE
Requires WLC 7.6+ for DNS-ACL feature; also dependent upon the AP model and AP/WLAN mode for DNS-ACL feature to work.
FlexConnect local switching utilizes FlexConnect ACL which support DNS-ACL starting with 8.7.
Not supported with Anchored WLAN
Occasionally few users may still get Apple CNA on BYOD WLAN
Does not work with converged access
Separate Auto-Anchor WLAN
If BYOD WLAN is only on foreign, and the guest WLAN is being auto-anchored to the DMZ controller. One can enable controller wide captive bypass on the foreign, while disabling it on the anchor controller. This allows the guest to leverage the Apple CNA, while it is suppressed for any of the foreign managed WLAN including BYOD WLAN.
Can be enabled per WLAN
Can use any version of WLC or ISE
Requires separate controller which supports anchoring; vWLC does not support anchoring
Requires controller reset for the foreign to take affect
Hi All, Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this ...
Hello All, I am facing issue in Cisco ISE for Wired Users and would like to get your help. Below are the details 1. We are using ISE version 2.7. 2. Two different series of Cisco Switches 2960x and 9200 3. No issue faced by users who a...