×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE CWA redirection problem for Apple devices

Unanswered Question
Nov 14th, 2014
User Badges:
  • Bronze, 100 points or more

Hi,

I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).

I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.

Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)

The problem doesn't appear for devices with iOS 6 but only for newer versions.

I've also tried with version 8.0 on WLC without success.

 

Any advise?

Regards. 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Fri, 11/14/2014 - 18:50
User Badges:
  • Gold, 750 points or more

You are using a local certificate for a guest portal ? that will certainly give you problems, other than that i don't see why it shouldnt work.

Kamran Mustafayev Tue, 01/20/2015 - 21:59
User Badges:

its a problem of AirOS of WLC, they just doesnt support https redirection, "redirection" works only on some browsers like Internet Explorer or Safari for windows

nspasov Mon, 11/17/2014 - 20:42
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Hello Christos-

I have a few questions/comments:

- The mechanics around the captive portal were changed in iOS 7 and later. As a result, there was a Cisco related defect (CSCuj18674) was filed. I have personally hit this issue before and had to upgrade. I do believe that this issue was fixed in version 8.x so it is possible that this is not what you are dealing with, however, it is worth checking with Cisco TAC

- Can you confirm that after you upgrade to version 8.x you still have the following command entered in the WLC: config network web-auth captive-bypass enable (controller reload needed to take effect)

 

Thank you for rating helpful posts!

Christos Stefaneskou Tue, 11/18/2014 - 07:28
User Badges:
  • Bronze, 100 points or more

Hi,

Jan, i'm using the default self signed certificate.I have ordered a 3rd party certificate and i'll do the tests as soon as i receive it.

Neno, the same issue appears with version 8.0 and the bypass command enabled.

It's very strange that i cannot ping the dns server and the portal name although the redirection acl permits traffic to dns and ise.

Dns and acl is properly configured since all other devices work without any issue.

 

Regards

 

nspasov Tue, 11/18/2014 - 11:45
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

I would definitely ping Cisco and confirm if the version of code that you are running addresses the bug I posted. 

You can also post a screen shot of your redirection ACL but if it is working for other devices I doubt the issue is there. Nonetheless, we can still take a look at it. 

Venkatesh Attuluri Wed, 11/19/2014 - 03:59
User Badges:
  • Cisco Employee,

Captive portal/wispr support for apple ios7
CSCuj18674
Description
Symptom:
When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.

Conditions:
The Apple device is running Apple iOS 7.

Workaround:
In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.

IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.

Kamran Mustafayev Mon, 01/12/2015 - 09:46
User Badges:

Hi, have you solved this issue ?

 

im experiencing the same, used bypass command doesnt help

Ravi Singh Mon, 01/12/2015 - 10:37
User Badges:
  • Cisco Employee,

Could you send me the screenshot from:


>> a. WLC/Monitor/Clients (all details including redirect url)
>> b. WLC/Security/ACL (details for acl)
>> c. ISE auth and authz rules
>> d. ISE Operations/Authentication (details for the authentication which should redirect user to ISE)

Christos Stefaneskou Mon, 01/19/2015 - 05:18
User Badges:
  • Bronze, 100 points or more

Hi,

Problem solved after configuring my DHCP to provide domain name to clients.

Works fine with the new WLC software 8.0.100 and iOS 6 and 8.1.2.

 

Regards. 

 


 

Actions

This Discussion

Related Content