Redirection to captive portal not working with iPhone on Guest WLAN

FernandoC
Comes here often

Redirection to captive portal not working with iPhone on Guest WLAN

Hi,

 

i have at a customer site one WLAN based on Meraki. We have three SSIDs configured: two corporate and one for guests. For the three SSIDs the authentication/authorization policies are enforced by the ISE (v3.3). The users attempting to get access to the "Guest" SSID are redirected to a splash page on the ISE where they should accept the non disclosure agreement to have access granted to the internet (typical "hotspot"). The setup works correctly as expected with PCs, but not with an iPhone. There the splash page doesn't get displayed at all. The Walled garden is correctly configured, we can see the redirection on a trace. Looking at the trace we can see that after the server (ISE) has exchanged its certificate, the iphone acknowledges and closes the connection (screenshot appended).  I have tested a similar configuration on a test environment, in which instead of a Meraki AP i have a Cat9105 AP and it works fine with Iphone and Ipad.

 

any Ideas?

 

Thanks in advance,

Fernando

 

FernandoC_0-1705650927416.png

 

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Were the URLs below allowed on the Walled Garden?

 

captive.apple.com, msfttestconnect.net, *.gstatic.com

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
FernandoC
Comes here often

Hi,

 

no they weren't. Only the ISE is being allowed on the Walled Garden.

 

I am wondering why does the client finishes the connection after having seen the server certificate. I did another trace with an iPhone on a test system based on catalyst APs. There everything goes fine- after the ISE has sent its certificate, the client sends its own, and the splash page is downloaded as expected.

 

Thanks

alemabrahao
Kind of a big deal
Kind of a big deal

any chance to do a test before allowing anything the URLs?

Catalyst and Meraki are different systems.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
FernandoC
Comes here often

Hi,

 

i did test it both ways. In fact the first test was (by mistake) with 17.0.0.0/8, captive.apple.com, *.apple.com,... in the walled garden- which didn't trigger the redirection to the splash page, as expected. Then we took everything out and left only the IP address and URL of the ISE. Since then the redirection works (as you can see in the screenshot on my first post). The problem is that the iPhone doesn't finish the TLS handshake.

 

Thanks,

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels