ā10-11-2021 07:12 AM
Hi,
I have a odd problem where CWA redirect don't work on Win11 clients, but works with Win10, Apple, Android etc. With Win11 clients the user has to open a webpage manually before redirection to the splash page occurs. On other clients it's automatic.
I'm running on the 17.3.4 code with C9800 controller and ISE PSN latest code.
Anybody have had this happening?
ā10-11-2021 09:29 AM
No windows 11 , 'in sight' , or you may be in the desert with that (smiley noted)
M.
ā10-11-2021 09:33 AM
- Actually I need to correct myself , because I only saw this after scrolling down :
Cisco ISE supports Microsoft Windows 11. However, in Client Provisioning and Posture Policy workflows, Windows 11 is currently not available as an Operating System option. To configure a policy for Microsoft Windows 11 users, from the Operating Systems drop-down list, choose Windows All until Windows 11 is displayed as an option in the Client Provisioning and Policy Policy windows in Cisco ISE.
M.
ā10-11-2021 01:14 PM
Since it is working on Win10, I wouldn't expect this to be a configuration issue. However you can check whats the captive portal bypass status configured in your WLC.
ā10-13-2021 04:35 AM
Hi,
I'm not sure which parameter-map commands can rectify this issue. Please see my configuration below (this configuration does not make splach page pop up in Win11 clients). It might also have something to do with the default browser as we're using Edge:
WLC#sh run | section parameter-map
parameter-map type webauth global
type webauth
virtual-ip ipv4 <IP Adress>
captive-bypass-portal
trustpoint TP-self-signed-xxx
security web-auth parameter-map global
WLC(config)#parameter-map type webauth global
WLC(config-params-parameter-map)#?
pre parameter-map params commands:
banner Banner file or text
captive-bypass-portal Turn on captive bypass
cisco-logo-disable Disable Cisco logo on internal html pages
consent consent parameters
custom-page custom-page - login, expired, success or failure page
exit Exit from parameter-map params configuration mode
http Configure Webauth HTTP Server
intercept-https-enable Enable intercept of https traffic
login-auth-bypass Login Auth Bypass for FQDN
logout-window-disabled Webauth logout window disable
max-http-conns Maximum number of HTTP connections per client
no Negate a command or set its defaults
redirect redirect url
secure-webauth-disable Disable HTTP secure server for Webauth
sleeping-client enable sleeping client for webauth
success-window-disable Disable Success Window
timeout timeout for the webauth session
trustpoint Configure Trustpoint
type type - web-auth, consent or both
virtual-ip Virtual IP Address
watch-list Watch List of webauth clients
webauth-bypass-intercept Configure Webauth bypass intercept
webauth-http-enable Enable HTTP server for Webauth
ā10-13-2021 10:30 AM
Hi, First there was a critical UDP packet loss bug in Win11 all devices which was patched by MS by last update. So please make sure that the latest update is installed. By the way configuration looks ok.
ā10-15-2021 02:30 AM
The splash page pops up instantly when running win11 clients on the AirOS WLC (8.5-x code on WiSM module) with "action needed" message. Both WLC are using the same ISE PSN servers.
Hence I think there the issue are with some parameters on the C9800, but which ones?
Br
Frode
ā10-15-2021 02:40 AM
I still say you should be using a valid cert.
But if it's working on AireOS but not 9800 IOS-XE then I'd be suspicious that your pre-auth ACLs are correct?
Remember the ACLs on 9800 are the opposite of AireOS with permits and deny's.
ā10-15-2021 03:08 AM
It works as expected with Win10 on both C9800 and AireOS - the splash screen pops up automatically, while on Win11 I have to open a web browser first to display the splash screen (with C9800).
I've set up the redirect ACL to permit both www/https
ā10-15-2021 03:19 AM
So then I think you're at the point where you need to be doing debugs on WLC with packet capture on the PC to see where and why it breaks and that will tell you which is at fault and what needs fixing.
If in doubt open a TAC case.
ā10-13-2021 10:59 AM
Is your splashpage using a proper domain name with proper public certificate?
ā08-23-2022 07:36 AM
Hi, i have the same exact problem with my 9800-40 running also 17.3.4.c. Only Windows 11 machines don't get the CWA. do you have a solution since?
ā08-23-2022 07:49 AM
I've got a TAC case open at the moment because we see the WLC sometimes sending TCP reset to client instead of redirect (I've seen it send up to 7 resets in a row). Success for captive portal popup depends how much the client retries, which browsers generally do better.
Adding webauth-http-enable in the parameter map seemed to improve things somewhat (although TAC engineer could not explain why) but we're still seeing resets.
As I always say - get a packet capture - so you can see what is happening at packet level. If you see TCP resets instead of captive portal redirect then it may be the same problem.
Slight difference in that this is with EWA so might not be the exact same problem.
ā09-12-2022 10:49 AM
Update on my situation:
I did not change any configuration in Cisco ISE or on the WLC 9800. I've installed another version of Windows 11 21H2 build 22000.856 and everything works well for my clients. So basically Microsoft did something in the initial release windows 11. Try it out and tell me if this works for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide