Meraki Wi-Fi/ISE Guest not working on IOS devices.

scottbreslin
Here to help

Meraki Wi-Fi/ISE Guest not working on IOS devices.

Hi, We have an ongoing issue which is holding up the deployment of a customer project, in that the guest splash page configured on ISE does not work on IOS devices, it works fine on Android and Windows based PCs.

 

When the IOS devices join the Guest WI-Fi, they obtain an ip from the guest vlan, the mini browser then pops up for the redirect but then nothing happens further on the device, just blank screen.    

 

ISE Version 3.0 (Patch 7)

Meraki AP 29.5.1

 

The configuration applied to the ISE and Meraki networks, for the deployment is as per the Meraki configuration guide:

 

CWA - Central Web Authentication with Cisco ISE - Cisco Meraki

 

We have also attempted the work around by adding the additional URLS into the walled garden to disable the CNA.

 

However nothing works.   

 

As a last resort, we opened both TAC cases with Meraki and CIsco (who have also liaised internally with each other on this) and both state that based on the packet captures conducted from the AP (Wireless and Wired) the coms between the IOS/Meraki AP/ and ISE are all fine - Reposne from Meraki TAC:

 

As you can see, the client device sends the DNS request for neverssl.com, which is then followed by a redirect DNS for the ISE splash page. The device then communicates with the ISE server, exchanging the certificates and sending a FIN, ACK at the end of the exchange. This is pretty much exactly what we are seeing when the walled garden is setup in the alternative configuration

 

I have engaged directly with the Cisco TAC engineer for the case that was raised as well. They reached the same conclusion as we did before; we are seeing the full exchange of information between the client and the ISE server from the AP logs. The fact that the client send back a FIN packet indicates that it is done with the transaction and would like to end that TCP stream. When it begins the RADIUS exchange again with an Access-Request, this is completely out of our view and we cannot determine why we are seeing that behaviour from the iPhone.

Therefore, i am at a total loss on this now and so was wondering if anyone else has or as had this issue with IOS devices using the same setup as detailed above.    Googling IOS issues with Meraki does reveal that there are similar issues dating back to 2017 which makes me wonder if this solution does actually work in the real world.

 

Thanks 


Scott 

20 Replies 20
UKDanJones
Building a reputation

This is why I never use captive portals…

Please feel free to hit that kudos button
scottbreslin
Here to help

Yes, i'm starting to think that way too 🙂

vassallon
Kind of a big deal

@scottbreslin 

 

Are the iOS devices connecting with Private Wi-Fi Address on or off? I wonder if that is causing the issues for you.

Also can you try opening this site on one of the affected devices and see if it works for you?

 

http://captive.apple.com/hotspot-detect.html

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
scottbreslin
Here to help

Hi - The private Wi-Fi address is off, this was discovered during our troubleshooting when scratching our heads wondering why hey kept on changing for the same connecting devices.

 

I will ask the onsite testers try to the URL you specify above next time they are available to test.

 

Thank you for taking the time to reply 🙂

alemabrahao
Kind of a big deal
Kind of a big deal

Can you show your Authorization Profile?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
scottbreslin
Here to help

The auth policy has 3 rules.  There are 2 PSNs so 2 redirection rules have been added for resilience,  These then map the Guest-PUL and Guest-IOM profiles, containing the redirect URL for the guest portal.   The 3rd rule 'Passed Web', places the endpoint within the guest endpoints group along with the MerakiWirelessGuest profile, which contains the ACL name of the group policy used on the Meraki network, which is sent back via Radius Attribute Airspace-ACL-Name, which is also configured on the Meraki SSID

 

scottbreslin_1-1689960425284.pngscottbreslin_2-1689960438337.png

Thank you for taking the time to reply 🙂

 

 

 

alemabrahao
Kind of a big deal
Kind of a big deal

No no, the Authorization Profile under Policy > Policy Elements > Results > Authorization > Authorization Profiles

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

And also check this.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
scottbreslin
Here to help

Redirect Profile (Guest-PUL)

 

scottbreslin_1-1689961156636.png

 

Passed Web (MerakiWirelessGuest)

scottbreslin_0-1689961309536.png

 

 

Olivier_P
Comes here often

Hi, I have the excat same issue: Guest portal works on windows 10 and android, but NOT on Iphones 

And we laso did add the additional URLs in the wallgarden to disable the CNA

scottbreslin
Here to help

My issue is still not resolved, had Meraki/Cisco TAC join case open where they communicated with each other internally.  Both say configurations are valid.    I have customer sending me a Meraki AP so that i can continue testing.  There is definitely an incompatibility issue with this solution, which i'm not sure is resolvable.

alemabrahao
Kind of a big deal
Kind of a big deal

You are probably forgetting some settings. I suggest that you review all settings according to the documentation. A small note.

 

Disabling CNA will require that users manually open their web browser before being presented with the splash page. Applications on the user's device that require Internet connectivity will not function as expected until the user has opened their web browser and completed authentication via the splash page. If your network contains Apple devices running iOS 14/macOS Big Sur and newer operating systems , DHCP option 114 can be leveraged instead of Apple's legacy Captive Portal networks. For additional info, please see Apple's How to modernize your captive network documentation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

You can also check this link.

 

 

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
scottbreslin
Here to help

Thanks for the input.  However these guides have been followed, along with adding the URL's to disable CNA.  Nothing works.  The fact that its fine with android and windows based devices suggests there is an incompatibility issue.  Plus the fact that there are numerous community posts along the same subject where apple devices will not connect to Meraki guest when hosted with ISE dating back to 2017 onwards. 

merakiise
New here

Hi scottbreslin and all,

 

Did you guy actually find a solution? we are now facing same issue, iPhones stop showing splash page from Cisco ISE. Any suggestions would be appreciated!!!

 

 

scottbreslin
Here to help

Hi, No project was abandoned and customer is continuing to use Metaki for guest portal.and authentication..

jamess03
Conversationalist

Also experiencing this issue. Does Meraki have any solutions? Works fine with Windows, Android, macOS. 

scottbreslin
Here to help

Hi, No the  project was abandoned as no solution was foind and customer is continuing to use Metaki for guest portal.and authentication..

jamess03
Conversationalist

Scott I fixed this one on my end. I think I misread this configuration guide: CWA - Central Web Authentication with Cisco ISE - Cisco Meraki Documentation

 

I kept the walled garden enabled but only included the IP addresses for my ISE PSN's (and I included their FQDN too). As soon as I removed the following entries, iOS devices worked just as well as Windows, Android and macOS. My mistake. 

 

So I removed the following items:

 

17.0.0.0/8
captive.apple.com
*.apple.com
*.appleiphonecell.com
*.ibook.info
*.itools.info
*.airport.us
*.thinkdifferent.us
clients3.google.com
*.gstatic.co 

 

Running ISE 3.2 Patch 4

iOS 17.2.1

Meraki MR 30.5 (various AP models)

mixeycray
New here

I have customer sending me a Meraki AP so that i can continue testing.  There is definitely an incompatibility issue with this solution, which i'm not sure is resolvable.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels