Content filtering to allow 1 website on WiFi SSID, but apple captive portal issue

merakitrucker
Conversationalist

Content filtering to allow 1 website on WiFi SSID, but apple captive portal issue

Hi I have a SSID configured to allow users to connect with a PSK. The filtering rules are setup as a group policy for the VLAN that is used and it will block everything except one website. 

 

When I connect a device, like an iphone the first page that pops up is a "This website is blocked by your network operator" saying Apple's captive portal(http://captive.apple.com/hotspot-detect.html) cannot be accessed. 

The WiFi ssid does not have a splash page configured, it is a preshared key. Any ideas on what can fix this?

2 Replies 2
DAlleman
Meraki Employee
Meraki Employee

Hi @merakitrucker!

I suspect it's due to Apple Captive Network Assistant (CNA). I can't find great documentation on Apple's side to explain the full process, but when a client connects to a wireless network, the CNA launches and sends a request to captive.apple.com. If it's successful, the device assumes it has network connectivity, and no action is taken. If it can't reach this website, the device will attempt to redirect you to a captive portal.

I tested this in my lab and found the same behavior you explained, except if I select cancel and "Use Without Internet," I can still reach the internal IPs I am allowing and no longer receive this pop-up unless I "Forget This Network."

To circumvent this, you can add a rule to allow access to 17.0.0.0/8, which will disable CNA. We cover some of this in our documentation for Device Posturing using Cisco ISE / Disable CNA.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Try allowing captive.apple.com.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels