Meraki

Community

Redirection to captive portal not working with iPhone on Guest WLAN

FernandoC
Comes here often
‎Jan 18 2024 11:57 PM
‎Jan 18 2024 11:57 PM

Redirection to captive portal not working with iPhone on Guest WLAN

Hi,

 

i have at a customer site one WLAN based on Meraki. We have three SSIDs configured: two corporate and one for guests. For the three SSIDs the authentication/authorization policies are enforced by the ISE (v3.3). The users attempting to get access to the "Guest" SSID are redirected to a splash page on the ISE where they should accept the non disclosure agreement to have access granted to the internet (typical "hotspot"). The setup works correctly as expected with PCs, but not with an iPhone. There the splash page doesn't get displayed at all. The Walled garden is correctly configured, we can see the redirection on a trace. Looking at the trace we can see that after the server (ISE) has exchanged its certificate, the iphone acknowledges and closes the connection (screenshot appended).  I have tested a similar configuration on a test environment, in which instead of a Meraki AP i have a Cat9105 AP and it works fine with Iphone and Ipad.

 

any Ideas?

 

Thanks in advance,

Fernando

 

FernandoC_0-1705650927416.png

 

Labels:
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
‎Jan 19 2024 1:58 AM
‎Jan 19 2024 1:58 AM

Were the URLs below allowed on the Walled Garden?

 

captive.apple.com, msfttestconnect.net, *.gstatic.com

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
FernandoC
Comes here often
‎Jan 19 2024 3:12 PM
‎Jan 19 2024 3:12 PM

Hi,

 

no they weren't. Only the ISE is being allowed on the Walled Garden.

 

I am wondering why does the client finishes the connection after having seen the server certificate. I did another trace with an iPhone on a test system based on catalyst APs. There everything goes fine- after the ISE has sent its certificate, the client sends its own, and the splash page is downloaded as expected.

 

Thanks

0 Kudos
In response to FernandoC
alemabrahao
Kind of a big deal
‎Jan 19 2024 4:26 PM
‎Jan 19 2024 4:26 PM

any chance to do a test before allowing anything the URLs?

Catalyst and Meraki are different systems.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
FernandoC
Comes here often
‎Jan 22 2024 10:18 AM
‎Jan 22 2024 10:18 AM

Hi,

 

i did test it both ways. In fact the first test was (by mistake) with 17.0.0.0/8, captive.apple.com, *.apple.com,... in the walled garden- which didn't trigger the redirection to the splash page, as expected. Then we took everything out and left only the IP address and URL of the ISE. Since then the redirection works (as you can see in the screenshot on my first post). The problem is that the iPhone doesn't finish the TLS handshake.

 

Thanks,

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.