I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
The problem doesn't appear for devices with iOS 6 but only for newer versions.
I've also tried with version 8.0 on WLC without success.
its a problem of AirOS of WLC, they just doesnt support https redirection, "redirection" works only on some browsers like Internet Explorer or Safari for windows
I have a few questions/comments:
- The mechanics around the captive portal were changed in iOS 7 and later. As a result, there was a Cisco related defect (CSCuj18674) was filed. I have personally hit this issue before and had to upgrade. I do believe that this issue was fixed in version 8.x so it is possible that this is not what you are dealing with, however, it is worth checking with Cisco TAC
- Can you confirm that after you upgrade to version 8.x you still have the following command entered in the WLC: config network web-auth captive-bypass enable (controller reload needed to take effect)
Thank you for rating helpful posts!
Jan, i'm using the default self signed certificate.I have ordered a 3rd party certificate and i'll do the tests as soon as i receive it.
Neno, the same issue appears with version 8.0 and the bypass command enabled.
It's very strange that i cannot ping the dns server and the portal name although the redirection acl permits traffic to dns and ise.
Dns and acl is properly configured since all other devices work without any issue.
I would definitely ping Cisco and confirm if the version of code that you are running addresses the bug I posted.
You can also post a screen shot of your redirection ACL but if it is working for other devices I doubt the issue is there. Nonetheless, we can still take a look at it.
Captive portal/wispr support for apple ios7
When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
The Apple device is running Apple iOS 7.
In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.
Could you send me the screenshot from:
>> a. WLC/Monitor/Clients (all details including redirect url)
>> b. WLC/Security/ACL (details for acl)
>> c. ISE auth and authz rules
>> d. ISE Operations/Authentication (details for the authentication which should redirect user to ISE)
Problem solved after configuring my DHCP to provide domain name to clients.
Works fine with the new WLC software 8.0.100 and iOS 6 and 8.1.2.