Apple CNA didn't popup in Meraki integrated with ISE

ArusCheng
Conversationalist

Apple CNA didn't popup in Meraki integrated with ISE

I have no ideas how to solve the following problems, can anyone help in these issues? Thanks!!!

 

Our deployment is the Meraki intergration with ISE 2.2 for the Guest network but we are facing lots of problem.

 

1. CNA didn’t popup. – Except the IOS version latest than 11.2.1

2. Cannot join the SSID, the Wi-Fi is keeping drop. – IOS 11.1.2 and 11.2.0

3. Wi-Fi dropped after enter the password and press accept button in the authentication page, no success page comes out. – IOS 11.2.1

 

We have tried to isolated the ISE and the CNA popup is normal in all IOS versions with Meraki click-through splash page.

 

In the ISE part, we can see the MAB has been triggered and the redirect URL has been returned Meraki.

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Why are you using Cisco ISE?  Almost everything you can do in ISE you can do with the built in Meraki system.

redsector
Head in the Cloud

We are using Cisco ISE as well because we also have Cisco Controller based accesspoints and switches (until they die 😉 ) We had in the begining of Meraki and ISE the same problems.

Now it´s working:

- we use the newest (beta) MR version.

- we had to exclude DFS channels because we are near a airport radar station

- we had to update our ISE to Version 2.2.0.470, Patch 2

- we had to use 802.11r

- we had to set the minimum bitrate to 6MBit

...

 

 

Our deployment is the Meraki intergration with ISE 2.1 for the Guest network but we are facing lots of problem.

 

1. CNA didn’t popup. – 

2. Cannot join the SSID, the Wi-Fi is keeping drop. –

3. Wi-Fi dropped after enter the password and press accept button in the authentication page, no success page comes out. –

 

Can Any one suggegst the way forward . Do I need to upgrade ISE to 2.3 

chrisj6
New here

See my post in this thread and give it a shot. Disable the captive portal with walled garden domains. 

 

https://community.meraki.com/t5/Wireless-LAN/Cisco-ISE-2-2-for-Guest-amp-BYOD-issues-with-Apple-IOS-...

 

I am on ISE 2.3 Patch 4 and it is still flaky sometimes, but it's been a lot better since we went this route. I started with ISE 2.2 and if you have not already I would recommend upgrading to 2.3. They keep integrating more and more. 

Same issues, check out my testing:

https://communities.cisco.com/message/293975#293975

 

Agreed, only way I could get this to work was to bypass CNA which my customer is not happy about... 

 

Summary:

 

-2504 Running 8.3, MAB, AAA override and ISE NAC. I get the pop up, enter creds, and are redirected to the success page and it works fine on IOS, MACOS, Windows.

 

-Meraki MR34, MAB, ISE for Radius and "Use ISE for splash page". My IOS devices get the pop up, enter creds, and get a 400 Error. Works fine on Windows and MACOS.

 

So, I tried this:

-Meraki MR34, MAB, ISE for Radius and "Use ISE for splash page". Added 17.0.0.0/8 into the walled garden list (nslookup on apple.com), and the CNA browser did not pop up. I opened a browser manually (fail, default was https://www.google.com), went to a http (no s) site, my Splash page came up, enter creds, and logged in just fine.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels