This document explains support for the Apple mini-browser for use in BYOD/Guest Flows using ISE 2.2. ISE has official support for Apple iOS and macOS to use with Guest and BYOD in ISE 2.2 and later. Some of these examples talk about using DNS based ACLs with your REDIRECT_ACL so be sure you WLC supports this.
CSCuv74219CSCus61445 - DNS-based ACL does not work. The bug is fixed 188.8.131.52 and 184.108.40.206 (check other versions as well)
If you want to have seamless flow for guests using mini-browser along with BYOD on the same controller then you can use one of the following options:
8.4 code will allow per WLAN captive portal bypass, see below
Dual SSID flow (open network for guests and employee BYOD), allows open network with mini-browser for guest/byod and then suppressed mini-browser in the BYOD flow
Single SSID BYOD - Use DNS based ACLs for the ACL_BYOD_REDIRECT and add URL captive.apple.com, ACL_GUEST_REDIRECT will redirect everything except for
8.4+ WLC code
You can have Open Guest network with no suppression (captive portal bypass disabled) of mini-browser and Single SSID network for BYOD suppressing (captive portal bypass enabled) the mini-browser.
Since we now support the mini-browser with ISE 2.2 there is no need to enable captive portal bypass on the controller. The client connects to the guest network and the mini-browser will pop and auto-login.
For single SSID there is no change in the behavior as the client is directed to go through the flow once and understand they must launch the browser. You will want to enable captive portal bypass per the options above or use DNS
I am reading the information contained in the following links:
I'm trying to register a 2nd node into my ISE 2.4 deployment. I get warned that the default self-signed device cert of the other ISE node is being offered and I click accept to trust it anyways. I get the error
Unable to authenticate ISE <2...
Running into an issue when I RDP into a PC, and then establish a VPN connection to a customer's network. The VPN establishes fine, and I remain connected to my RDP session. I start an upload of a large file, and close the RDP session (not logoff). Later I...
how is possible to use SSH via tacacs+ without any crypto keys? How Crypto keys influence AAA login ? Or Are they for local login only?we had replaced some old c3750 with new c3850 switches. Procedure was to copy old config to new switch inclu...
I am trying to figure out if we can initiate a port bounce to a Meraki MS from the ISE Live Sessions logs.
In the Network Device Profiles, the Cisco and Meraki capabilities seem to be the same:
But in live with a C3850 and ...