Cisco ISE CWA with Captive Portal Detection and DHCP Option 114

joshhunter · ‎11-30-2024

Hello, does Cisco ISE solution work with Captive Portal Detection Option 114 to modernise the Captive Portal Detection process on Apple iOS Devices that support iOS 14+ see below Apple article:

https://developer.apple.com/news/?id=q78sq5rv

On the Cisco Meraki support pages,

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_with_Cisco_ISE

Disabling CNA will require that users manually open their web browser before being presented with the splash page. Applications on the user's device that require Internet connectivity will not function as expected until the user has opened their web browser and completed authentication via the splash page. If your network contains Apple devices running iOS 14/macOS Big Sur and newer operating systems , DHCP option 114 can be leveraged instead of Apple's legacy Captive Portal networks. For additional info, please see Apple's How to modernize your captive networkdocumentation.

joshhunter · ‎11-30-2024

One of the reasons for asking is that I am finding the Captive Portal Detection process to be rather slow, taking around 10 seconds.

This is using the traditional method of the HTTP GET request sent form the Apple iOS Device to

http://captive.apple.com/hotspot-detect.html

joshhunter · ‎11-30-2024

I failed to see this as an ISE feature. I would see this as a DHCP server / Client feature. When it comes to guest portal, the ISE will act as a web site where you hit, you present your credentials, the credential is validate against some kind of checker and the access is granted or denied.

The option 114, therefore, happened way before all this process. In guest network, first the client gets the IP address and later it will be authenticated.

As I could read on the documentation, this is just a faster way to receive the Guest portal URL instead using the traditional intercept method used so far for Wireless Controller.

"

2.  The Captive-Portal Option

   The Captive-Portal DHCP/RA Option informs the client that it may be
   behind a captive portal and provides the URI to access an API as
   defined by [RFC8908]"

@Flavio Miranda Thank you for your reply. I understand this is a DHCP Option and not ISE Specific. However, the DHCP Option needs to point to a URI. We know that URI for Cisco ISE is dynamic and contains the session ID.

My question is if anyone has got it DHCP Option 114 to work with Cisco ISE Central Web Auth?

Flavio Miranda · ‎11-30-2024

Thats make It a totally different question. But make Sense now.

Since the WLC manage the portal intercept for traditional guest portal, I would say the WLC should handle this. I dont see any Cisco WLC handlng this option.

MHM Cisco World · ‎11-30-2024

why you not add op114 to DHCP ?

MHM

joshhunter · ‎11-30-2024

Well, you add the Option 114 DHCP String but it must point to a JSON API, there is a question of where this should be hosted.

Then, another question as to what the string should contain as the user portal URL is dynamic based on session ID.

{ "captive": true, "user-portal-url": "https://example.org/portal.html" }

MHM Cisco World · ‎11-30-2024

I think op114 must include the portal of ISE
MHM

joshhunter · ‎01-11-2025

Hello, any updates on this one?

I am keen to improve the Captive Portal detection process, using Option 114 looks to be a good way of doing this.