Dealing with Apple CNA (AKA Mini browser) for ISE BYOD

howon · ‎02-09-2017

When Apple CNA is activated the ISE BYOD cannot be completed due to limitation of the CNA browser. While WLC can be configured to suppress Apple CNA via ‘config network web-auth captive-bypass enable’, it enforces the feature controller-wide affecting all WLANs that the controller manages. This ended up forcing customers to choose between supporting ISE BYOD or guest with Apple CNA enabled. This document describes few options in terms of dealing with Apple CNA issue when using both ISE guest and BYOD on the same wireless controller.

	Description	Pros	Cons
WLC controller-wide captive-bypass	From the WLC CLI, run ‘config network web-auth captive-bypass enable’, then save & reset the controller 8.4 and above, from the WLC GUI, go to the CONTROLLER > General, select 'Enabled' for Captive Network Assistant Bypass (Requires WLC reload)	Works with all versions of WLC & ISE including Converged Access	Requires controller reset after the command The setting applies controller wide; if the controller is servicing both guest and BYOD WLAN, then CNA browser will be suppressed for both WLANs
Using ISE 2.2 Feature	See: Dual SSID BYOD with Apple Captive Network Assistant (CNA) Browser	Can provide both guest and BYOD on the same portal (Dual-SSID flow) Works on all versions of WLC (Possibly works with Converged Access as well)	Requires full Internet access during the interim state for Apple devices going through BYOD Requires ISE 2.2+ Feature does not work with iOS 10.3.1+ (Tracked by CSCve39167)
WLC 8.4 per WLAN captive bypass feature	From the WLC GUI, go to the WLANs > Security > Layer 3, select 'Enable' for Captive Network Assistant Bypass From the WLC CLI, run ‘config wlan security web-auth captive-bypass enable {WLAN_ID}' Cisco Wireless Controller Configuration Guide, Release 8.4 - WLAN Security [Cisco Wireless LAN Controller Software] - …	Can be enabled per WLAN Works with all versions of ISE	Does not help in the case of Dual SSID flow Requires WLC 8.4+ Does not work with converged access
Using DNS ACL	Create separate redirect ACL for BYOD portal and Guest portal on the WLC. Only difference is that BYOD ACL allows access to ‘captive.apple.com’ in the DNS ACL while guest portal doesn’t. When the clients connect to BYOD WLAN, the Apple CNA is suppressed thinking it is on the Internet as it can reach the captive.apple.com and gets proper response.	Can be enabled per ISE portal Works with all versions of ISE	Requires WLC 7.6+ for DNS-ACL feature; also dependent upon the AP model and AP/WLAN mode for DNS-ACL feature to work. FlexConnect local switching utilizes FlexConnect ACL which support DNS-ACL starting with 8.7. Not supported with Anchored WLAN Occasionally few users may still get Apple CNA on BYOD WLAN Does not work with converged access
Separate Auto-Anchor WLAN	If BYOD WLAN is only on foreign, and the guest WLAN is being auto-anchored to the DMZ controller. One can enable controller wide captive bypass on the foreign, while disabling it on the anchor controller. This allows the guest to leverage the Apple CNA, while it is suppressed for any of the foreign managed WLAN including BYOD WLAN.	Can be enabled per WLAN Can use any version of WLC or ISE	Requires separate controller which supports anchoring; vWLC does not support anchoring Requires controller reset for the foreign to take affect May work with converged access May not be supported configuration