This document explains support for the Apple mini-browser for use in BYOD/Guest Flows using ISE 2.2. ISE has official support for Apple iOS and macOS to use with Guest and BYOD in ISE 2.2 and later. Some of these examples talk about using DNS based ACLs with your REDIRECT_ACL so be sure you WLC supports this.
CSCuv74219CSCus61445 - DNS-based ACL does not work. The bug is fixed 184.108.40.206 and 220.127.116.11 (check other versions as well)
If you want to have seamless flow for guests using mini-browser along with BYOD on the same controller then you can use one of the following options:
8.4 code will allow per WLAN captive portal bypass, see below
Dual SSID flow (open network for guests and employee BYOD), allows open network with mini-browser for guest/byod and then suppressed mini-browser in the BYOD flow
Single SSID BYOD - Use DNS based ACLs for the ACL_BYOD_REDIRECT and add URL captive.apple.com, ACL_GUEST_REDIRECT will redirect everything except for
8.4+ WLC code
You can have Open Guest network with no suppression (captive portal bypass disabled) of mini-browser and Single SSID network for BYOD suppressing (captive portal bypass enabled) the mini-browser.
Since we now support the mini-browser with ISE 2.2 there is no need to enable captive portal bypass on the controller. The client connects to the guest network and the mini-browser will pop and auto-login.
For single SSID there is no change in the behavior as the client is directed to go through the flow once and understand they must launch the browser. You will want to enable captive portal bypass per the options above or use DNS