Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
1
Helpful
5
Replies

Interesting issue with Apple devices and Portal

Go to solution
u2637ps
Level 1
Level 1

‎03-12-2025 02:39 PM

Environment

9800 wlc 17.9.6

Portal is set up for Guest access.

Portal works for Windows machines and Android devices with no issue. It just fails for Apple Mac's and Iphones. It fails when trying to get to the portal designated by external DNS. On the Apple if you add a host file entry to the portal it works fine. Used Safari Chrome and Firefox all have the same issue

Test Mac is running Mac OS 15 

When it is not working and i go to a terminal prompt and do a nslookup it retrieves the right address for the portal

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to u2637ps

‎03-19-2025 04:59 PM

I wasn't saying you should redirect to an IP - you should still be redirecting to a FQDN DNS name which matches your certificate, but that FQDN should not resolve to 1.1.1.1 and the IP traffic to that IP should be allowed by the ACL and not redirected.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Haydn Andrews
VIP
VIP

‎03-12-2025 04:25 PM

what happens on apple if u try and browse to http://neverssl.com does it trigger the portal?

without the host file is nslookup working?

Is this portal on the WLC or via ISE?

Do you have a public certificate for the portal loaded?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Go to solution
u2637ps
Level 1
Level 1
In response to Haydn Andrews

‎03-12-2025 05:07 PM

Hi the portal has a public cert. We have made a breakthrough though that I will test when I am in the office next. In the preauth acl we added access to captive.apple.com. When our test user on a browser did 1.1.1.1 the portal came up. We will test next week to see if we can force the logon to come up by adding that as a step before bringing up the signon portal url. We also need to check other versions of IOS

 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to u2637ps

‎03-19-2025 05:40 AM

You must not allow captive.apple.com in the redirect/intercept ACL because that is exactly what needs to be redirected to the captive portal!  The ACL should only be allowing DHCP, DNS and your captive portal.
See https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html#toc-hId-306862272 Step 4 for example ACLs.

Also note that you must NOT use 1.1.1.1 for the WLC virtual IP - Cisco stopped recommending that years ago because it is now a valid public internet IP.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213535-wlc-virtual-ip-address-1-1-1-1.html
Use the other recommended subnets or your own registered (but not routable) public IP.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers/m-external-web-authentication-configuration.html#Cisco_Task.dita_3b9b7765-...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
u2637ps
Level 1
Level 1
In response to Rich R

‎03-19-2025 02:50 PM

Thanks for that as we use an external certificate I will wait until it renews to add the appropriate SAN to allow me to redirect via IP.

Thanks

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to u2637ps

‎03-19-2025 04:59 PM

I wasn't saying you should redirect to an IP - you should still be redirecting to a FQDN DNS name which matches your certificate, but that FQDN should not resolve to 1.1.1.1 and the IP traffic to that IP should be allowed by the ACL and not redirected.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card