Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4584
Views
20
Helpful
4
Replies

Cat9800 captive portal bypass for Apple devices

KevinR99
Level 1
Level 1

‎10-21-2022 08:08 AM - edited ‎10-21-2022 08:10 AM

Hi

I've seen various discussions about this but none seem to fix my issue. 

I have an SSID that redirects perfectly well with Windows and Android.  However, Apple devices don't play.  I usually get redirected to the login portal and log in successfully.  When I look on the WLC the client is in Run state.  However, the apple client never goes to my Success URL or success page.  Usually the mini browser just disappears and I am no longer connected to the SSID.  Sometimes the mini browser just sits there with a white screen.  If I close it and reconnect to the SSID I am on and can browse.  This isn't ideal.  So I am looking at the captive portal bypass feature.  Since this is a Cat9800 and not an AireOS controller it's applied differently.  As far as I can see it needs to be applied via a named Web auth parameter map by ticking Captive Bypass Portal.  So I do this and the only place I can apply it is in the Layer 3 security section of the SSID.  When I do this my non-Apple devices are still ok.  On Apple devices the SSID profile is connected and says No Internet access.  So I fire up a browser in the hope that it will be intercepted and redirected to my Guest portal but it doesn't.  Have I missed something in the WLC to get the portal bypass to work ?

Thanks, Kev.

3 people had this problem
0 Helpful
4 Replies 4

Rich R
VIP
VIP

‎10-23-2022 03:49 AM

Never used captive-bypass-portal before myself so can't comment on how well that does or doesn't work, but presumably you'd rather have the captive portal working correctly?
What version of software are you using?
Have you run debug/packet capture/radioactive trace on a client experiencing the problem?
Are you using valid public certificates for your portal(s) which match the DNS FQDN of the site?
How do your configs look at the moment?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

KevinR99
Level 1
Level 1
In response to Rich R

‎10-23-2022 09:59 AM

Rich, Arshad

I am only in a lab environment so I don’t have a public certificate for the splash page.  I use one generated by one of our internal CA’s but will install a public one in the live solution.  I have run a radioactive trace on the client but it produces a lot of output which is very time consuming and difficult to plough through without knowing what I’m looking for.  What I can see is the redirect URL being sent back but as far as I can see in those lengthy logs that gets repeated with nothing else to give me a clue as to what the client is doing.  I do redirect to a URL which is resolvable by our DNS and as a test I have applied a static IP to the Authz profile on ISE.  I am running IOS-XE 17.7.1 and ISE 3.1 patch 1 I think.

Thank you for your input, Kev.

0 Helpful

Rich R
VIP
VIP
In response to KevinR99

‎10-23-2022 05:07 PM

If iOS doesn't trust your cert, which it won't unless you've installed your CA as trusted, then it won't popup the portal, plain and simple.
Unless you have a very specific reason you shouldn't ideally be using 17.7.1 - it's a short-lived release which won't get any bug fixes.  Think about using an extended support release - 17.6.4 or 17.9.1 (17.9.2 should be out soon).  Refer to TAC recommended releases link in my signature.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-23-2022 06:32 AM

What is the code you are running? Do you have http enabled under web auth parameter map or the ip http server?

If captive portal bypass enabled APPLE device will completely ignore it's captive portal detection mechanism (WLC replies to APPLE device with expected parameters, so APPLE device thinks there is no captive portal), this is recommended when you have CWA or any 3rd part Captive portal integration is in place. Keep in mind, here APPLE will not auto prompt the mini browser.

If you disable captive portal bypass, then WLC will not intercept the captive portal detection mechanism of APPLE device. So by default, you will be prompted the portal using APPLE mini browser. 

I personally prefer keeping it disabled as it provides good experience to the user, rather than manually opening the web browser. But if you really need to get the redirection URL's working, I will prefer to have it enabled. 

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
virtual-ip ipv6 2001:DB8::1
webauth-http-enable

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card