CNA has been disabled in Aruba side, we found client cannot complete ssl handshake with ISE via mini-browser. If use other browser safari/firefox, it's OK. Comparing ssl server hello packets between two scenario, did not find Aruba modified ssl packets.

Assuming you’re using ISE 2.2?

I have used self-signed certs with mini browser and guest and worked fine on apple ios but haven’t tried my MAC recently

I would suggest to move forward with TAC case to further troubleshoot.

Hi Jason,

Did you use Aruba WLC in your test? If yes, do you have configuration for reference? and what version?

Thanks

DL

No, please work with the tac and Aruba team

Yeah, this is obviously well documented at this point.  ISE authentication that invokes Apple CNA has been broken on all versions of ISE, to include 2.2, 2.3, and 2.4.  Closing the CNA popup (AKA mini-browser) and opening Safari or another browser on iOS devices will allow for successful onboarding / login experiences.  This appears to have begun to be an issue around iOS 11.3 - 11.6 and remains an issue all the way to iOS 12.  Several bug IDs have been generated over the last year without a "fixed-in" release to date.  All work-arounds to date are related to making changes to suppress the Apple CNA trigger on the users' iOS devices, which is obviously not viable on guest and large venue environments.  We have been able to reproduce this, with Cisco ISE engineers onsite, both on ISE 2.3 patch 5 and ISE 2.4 patch 3.  I should add, the break appears to be on the Apple CNA side, but the ownership for driving Apple to a fix also fall on Cisco, given the Apple/Cisco advertised enterprise relationship that both companies tout.  I am sure they will work this out, but being that it has been a year, things aren't looking satisfactory for either company's efforts.