Content
This document explains support for the Apple mini-browser for use in BYOD/Guest Flows using ISE 2.2. ISE has official support for Apple iOS and macOS to use with Guest and BYOD in ISE 2.2 and later. Some of these examples talk about using DNS based ACLs with your REDIRECT_ACL so be sure you WLC supports this.
CSCuv74219 CSCus61445 - DNS-based ACL does not work. The bug is fixed 8.0.121.0 and 8.2.100.0 (check other versions as well)
Cisco Wireless Controller Captive Portal Bypass Options
< 8.4 WLC code
Enable captive portal bypass for the whole controller as described in Cisco Wireless Controller Configuration Guide, Release 8.4 - WLAN Security [Cisco Wireless LAN Controller Software]. This will suppress the apple pseudo browser (Captive Network Assistant) from popping up for any WLAN on that controller. This will need to be enabled in the single SSID flow for BYOD. If this is enabled it will suppress the mini-browser for guest flows.
If you want to have seamless flow for guests using mini-browser along with BYOD on the same controller then you can use one of the following options:
- 8.4 code will allow per WLAN captive portal bypass, see below
- Dual SSID flow (open network for guests and employee BYOD), allows open network with mini-browser for guest/byod and then suppressed mini-browser in the BYOD flow
- Single SSID BYOD - Use DNS based ACLs for the ACL_BYOD_REDIRECT and add URL captive.apple.com, ACL_GUEST_REDIRECT will redirect everything except for
8.4+ WLC code
You can have Open Guest network with no suppression (captive portal bypass disabled) of mini-browser and Single SSID network for BYOD suppressing (captive portal bypass enabled) the mini-browser.
Guest Access
Since we now support the mini-browser with ISE 2.2 there is no need to enable captive portal bypass on the controller. The client connects to the guest network and the mini-browser will pop and auto-login.
BYOD
Single SSID
For single SSID there is no change in the behavior as the client is directed to go through the flow once and understand they must launch the browser. You will want to enable captive portal bypass per the options above or use DNS
Resources