Cisco ISE 2.2 for Guest & BYOD - issues with Apple IOS devices CNA (captive portal) closing abruptly

foozed
Conversationalist

Cisco ISE 2.2 for Guest & BYOD - issues with Apple IOS devices CNA (captive portal) closing abruptly

I have been struggling with an issue where we have strange behavior using ISE 2.2 for our web-auth and guest registration.

The issue occurs with Apple IOS devices and is related to the CNA mini browser popup whereby it will open briefly and display the login/registration page but then closes abruptly.

The client will disconnect and reconnect and the captive portal window will open again and stay open allowing registration and/or login.

However, upon successful authentication the window closes abruptly and never shows the success page, or the redirect depending on how I've got it configured.

It works sometimes - 1 out of 10 maybe.

I only have this behavior using apple IOS devices.

Does anybody else see this behavior?  

Does anyone use ISE for guest or BYOD with web-auth successfully (with respect to apple devices and captive portal?)

I have a TAC case open but its slow going.

 

For reference, if I configure a WLAN with native meraki web-auth the issue does not occur and works just fine.

So it has something to do with ISE although per Cisco the ISE configuration is correct.

 

 

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you applied the latest patches for 2.2?  I can see:

ise-patchbundle-2.2.0.470-Patch4-221755.SPA.x86_64.tar.gz

 

 

foozed
Conversationalist

Yes.

foozed
Conversationalist

Still attempting to get Meraki to help with the troubleshooting on this.

 

redsector
Head in the Cloud

We have Cisco ISE Version 2.2.0.470, Installed Patches 1,2 and rules for internal windows devices with certificate they are allowed to go internal with the company SSID.

Then we have a rule for bring your own devices as smartphones and so on, the users can connect to the companys SSID with their active directory account but will be directed by the ISE to a VLAN with public internet access (not allowed to come inside the companys network)

And at last we have an guest SSID for external users. the SSID connects them to a VLAN with public internet access.

 

The browser cache of the iPhones are leading to a problem that the guest splash-page doesn´t appear or appearing very shortly. It´s happening when we open a webpage again which was opened before, when opening a new webpage which wasn´t opened before the ISE guest splash page opens and the guests can put in their credentials.

 

We are using Cisco Meraki MR accesspoints with version 25.9, Meraki switches with version 10.9 and Cisco switches.

You will want to have Meraki support enable Walled Garden domains so you can use URLs in the walled garden allowed list. This disables the captive portal detection and makes you manually open a webpage, or on Android you can just click the Wireless network after it's connected and it will take you to the redirect page. This worked for us. It is still flaky sometimes. On Apple devices, you still have to type http:// to force it to not use https to begin with. Once it's in your browser cache it sees it as https from then on and that is what is causing the issue. Follow the link below to see the domains to add and open a case with support to have Walled Garden Domains enabled. It's still in beta but does not hurt being turned on even if you do not use it. 

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Central_Web_Authentication_(CWA)_w...

redsector
Head in the Cloud

We have Cisco ISE 2.2.0.470, Installed Patches 1,2 and rules for internal windows devices with certificate they are allowed to go internal with the company SSID.

Then we have a rule for bring your own devices as smartphones and so on, the users can connect to the companys SSID with their active directory account but will be directed by the ISE to a VLAN with public internet access (not allowed to come inside the comapnys network).

And at last we have an guest SSID for external users. the SSID connects them to a VLAN with public internet access.

 

The browser cache of the iPhones are leading to a problem that the guest splash-page doesn´t appear or appearing very shortly. It´s happening when we open a webpage again which was opened before, when opening a new webpage which wasn´t opened before the ISE guest splash page opens and the guests can put in their credentials.

 

We are using Cisco Meraki MR accesspoints with version 25.9, Meraki switches with version 10.9 and Cisco switches.

Were you able to solve this problem. We have a similar issue

ISE
Conversationalist

We have a similar issue with ISE 2.2 and Meraki MR latest release 25.9.

It is more apparent with Android devices. When logging into the guest portal, ISE sends a CoA to the MR after a successful guest authentication. Sometimes we see ISE logs that the MR did not respond to the CoA request. Endpoints end up redirected recursively to the login page, then at some point it lets them in. It helps if they login then disable/re-enable their wifi.

Seems like an MR issue since ISE is functioning properly. We upgraded from MR 24.x since it had a log of defects with CoA, but 25.9 did not fix the problem.

Client event logs on MR do not show the problem but endpoint debugs in ISE show CoAs being sent to the MR with no apparent reply.

Any ideas?

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels