Apple CNA (Captive Network Assistant, AKA Apple mini browser) is a Apple iOS feature that allows a browser like window to pop-up whenever network access is needed and the CNA determines that the network requires user interaction to gain full network access. This typically happens when the user associates to an open wireless LAN and even though an IP address is provided to the device, the network still restricts the user to take further actions, such as accepting an AUP, providing a shared password, or logging in as a guest user. This enhances user experience as it saves the user from manually opening up a Safari browser window. It also provides assistance even during non-initial association to the WLAN. For instance, if the endpoint device goes into sleep mode and the session is torn down on the WLC and subsequently the user tries to use a non-web browser application that requires network connectivity, the iOS device can sense that the device is in captive portal state and pop-up the mini browser for user to take further action to gain network access. As one can see having the iOS CNA feature operate on a guest network is a good idea, however, when BYOD is enabled on the same WLAN, as is the case with ISE dual-SSID flow, the CNA breaks the ISE BYOD process. One of the reason for that is due to ISE BYOD process forcing the CNA mini browser to go into the background as it asks the end user to accept the iOS profiles, which includes CA certificate and enrollment package, and when the CNA mini browser is moved to the background it immediately disconnects the device from the WLAN, which in turn breaks the BYOD process.
Prior to ISE 2.2, the ISE was setup to warn the user that the browser is not supported and user had no easy way aside from reporting it to the network administrator and subsequently the administrator had to enable captive bypass on the WLC which disabled the pop-up of the CNA mini browser on the controller level. Unfortunately, the captive bypass feature on WLC 8.3 and below required to be ran controller wide, which meant that all of the WLANs that the controller was servicing disabled the apple CNA. Cisco ISE version 2.2 is the first version to support Dual-SSID BYOD flow through Apple CNA. This document explains how to configure the ISE and Cisco WLC to provide Dual-SSID BYOD even when the captive portal bypass feature is disabled on the WLC. For other options on how to deal with Apple CNA, please go to: Dealing with Apple CNA (AKA Mini browser) for ISE BYOD
This document will leverage pre-defined policy rules and elements for dual SSID BYOD configuration. Also, this document assumes that the WLC is already configured with baseline WLC configuration for ISE. For more information on the baseline WLC ocnfiguration please refer to: How To: Universal Wireless Controller (WLC) Configuration for ISE
Cisco WLC 7.6+ for DNS ACL feature; not possible with FlexConnect local switching WLAN as DNS ACL is not supported for locally switched traffic
Note: If running WLC 8.4+ code then the captive portal bypass can be enabled per WLAN instead of globally. It still does not allow administrator to use a single WLAN for both CNA enabled guest access and employee BYOD, but allows them to enable captive portal bypass selectively per WLAN instead of controller wide.
If previously enabled, go to the CLI of the WLC and disable captive portal bypass by running 'config network web-auth captive-bypass disable'
Reset system for the settings to take affect
Create Additional ACL for Apple iOS devices to provide ‘Done’ on the CNA mini browser (Note: This ACL provides full network access for the endpoint temporarily during BYOD process. This is necessary to suppress Apple CNA)
Go to WLC GUI and navigate to SECURITY > Access Control Lists > Access Control Lists
Click 'New...' in the upper right corner
Name the new ACL ' ACL_APPLE_CNA'
Add Deny any IP traffic to 126.96.36.199/255.255.255.255
Add Permit any IP traffic to any
Example shown below
Perform Posture Update (Required for ISE to recognize the OS)
Go to ISE GUI and navigate to Administration > System > Settings
On the left hand menu, click on Posture > Updates
Click on 'Update Now' (Will take about 20 minutes to update, you can navigate away and perform rest of the steps below)
Configure Guest portal to provide BYOD for employee users
Go to ISE GUI and navigate to Work Centers > Guest Access > Portals & Components
Click on the 'Self-Registered Guest Portal (default)' (Or the portal that is going to be used for dual-SSID BYOD flow)
Click on 'BYOD Settings' and enable 'Allow employees to use personal devices on the network' option
Create Additional Authorization profile to redirect any traffic that matches destination of 188.8.131.52
Navigate to Policy > Results > Authorization > Authorization Profiles
Click 'Add' to add a new AuthZ profile
Enter 'NSP_Apple_CNA' as name
Under Common Tasks section check 'Web Redirection (CWA, MDM, NSP, CPP)' and select Centralized Web Auth, enter 'ACL_APPLE_CNA' for ACL, and select 'Self-Registered Guest Portal (default)' from the list
Create Authorization policy rule for Apple iOS device
Navigate to Policy > Authorization
Insert a New Rule Above the 'Wifi_Redirect_to_Guest_Login' and create a policy rule named 'Employee_Onboarding_Apple_CNA'
For the condition of the rule, select 'Add Condition from Library' and then select Compound Conditions > Wireless_MAB
Add another condition using 'Add Attribute/Value' and then select Sessions > BYOD-Apple-MiniBrowser-Flow, select 'Equals' then 'Yes'
For the Permissions, select 'Standard' > 'NSP_Apple_CNA'
Click 'Done' for the policy rule
Click 'Save' on the bottom to save the policy
ISE Live Log:
User associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page
User enters employee user ID ' employee1' and password on the WebAuth portal
A successful login triggers CoA (Change of Authorization)
After CoA endpoint is assigned 'NSP_Apple_CNA' which permits temporary web access so the Apple CNA is no longer enforced. At this stage only traffic to 184.108.40.206 is redirected and used to guide user through BYOD process using full browser
Once BYOD process is completed, user connects to secured SSID and gets 'PermitAccess' Authorization Profile