Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3118
Views
0
Helpful
4
Replies

WLC and ISE Captive portal with IOS devices

Males
Level 1
Level 1

‎11-26-2018 06:52 AM - edited ‎07-05-2021 09:30 AM

Hi

 

I am running into a strange issue and before I open a ticket on the matter with TAC, I thought I'd ask the community for hints as to what may cause the problem.

I have a hotspot-style captive portal configured and it works fairly well with an Iphone 7+, a windows laptop, a mac laptop and android devices of all kinds.

I also happen to have an iphone 5 and an iphone 7---which won't work "AT ALL". That is to say that I can see that the URL redirection works, but the CNA doesn't open, and no other url will redirect to the portal. I even tried pasting the url my WLC says it's sending to the client and it will not load.

It's not a DNS issue because I get this even if I try an IP.

It's not because it can reach the CNA's apple url, because it cannot (I tried it on the device, and remember I also have an Iphone 7+ which works...)

 

I am running ISE 2.3 p1, and 8540s under 8.2 MR7.

I can see that the client is assigned the redirect regardless of platform.

However on the IP5 and IP7, the CNA will not open. Copying and pasting the url will not work either.

 

Out of ideas...help?

Tried something with an ip, or replacing the dns name of the psn for the ip to no avail.

 

Labels:
0 Helpful
4 Replies 4

ammahend
VIP Alumni
VIP Alumni

‎11-27-2018 03:57 AM

I am not sure what’s the solution but it points to MTU issue, had a smililar issue, will be be possible for you to adjust th MTU and test it out. 

Since APs do not support jumbo frames, in a test environment try setting it to max supported size on your respective AP.

-hope this helps-
0 Helpful

Males
Level 1
Level 1
In response to ammahend

‎11-27-2018 05:42 AM

Hi

thank you for your answer. The thing that makes me doubt it has to do with MTU is that it works with IPhone 7 +, but not iPhone 7.

Aslo read a lot of contradictory information about whether or not to have captive-bypass detection disabled or enabled.

 

 

0 Helpful

Rich R
VIP
VIP
In response to Males

‎11-29-2018 03:45 AM - edited ‎11-29-2018 05:34 AM

Hi Males

 

You mention the iPhone models but not what version of iOS they are running.

A common problem with all captive portals is progressively increasing security levels on browsers and operating systems.

1. Captive portals often rely on self-signed certificates which can be a problem

2. When captive portal is redirected from an https page most OS and browsers will now block that because the certificate doesn't match the original domain.

Since you say you can't even open the redirect URL directly that suggests 2 is not the problem but 1 could still be.

So:

- Compare iOS versions

- Compare any/all security settings in iOS and browser, and try different browsers as some give more detailed messages about why they've blocked something (and turn off 'friendly' error messages if that is an option because it hides the real error).  Sometimes it can even be because some of the content in the page is not secure.

- Make sure your portal is using a valid public certificate not a self-signed cert.

- Sometimes doing a Reset all settings magically fixes strange problems like these on iPhones.

 

Hope this helps ...

Rich

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to Males

‎11-29-2018 08:22 AM

perform a capture and see if you are getting a lot of re-transmission, that might be an indication of what I am suspecting here.

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card