Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
210
Views
0
Helpful
3
Replies

Cisco ISE 3.1 WLC Captive Portal - AUP Error Apple Devices

Leonterry
Level 1
Level 1

‎04-22-2024 08:17 AM - edited ‎04-22-2024 08:21 AM

We are having an odd issue with newer versions of Iphone/IOS when try to access the ISE Guest Portal.

The users start the CWA flow, connect to the SSID then gets an username and pass provided by cisco ISE, then login using the provided credentials and landing to the AUP, once the user tick the box and accept  it an error is prompted straight away on the endpoint "ERROR: "Error opening page. Hotspot login cannot open the page because the network connection was lost" and then the endpoint is not able to join the network, even though deleting the endpoint of the ISE database just triggers the Authentication process again with the same error after accepts the AUP.

The private mac was disabled on the Iphone, auto-join feature disable and enabled and so on.... Nothing has worked. Android and Older Iphone's  are working fine.

On the C9800 we just have the status "Wed Auth Pending" and on ISE we use see the mac address as Username after it fails. On the ISE side "Endpoing Workflow" we just see "endpoint proprietary error.

We do have a case with Cisco, but no resolution yet - was wondering if we are triggering a BUG on ISE/WLC or it is a problem with the newer IOS devices.

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎04-29-2024 04:36 PM

Hi @Leonterry 

Out of interest, what version of iOS is this happening on? It does smell a bit like an iOS issue.

If you can run a tcpdump on the PSN and recreate the issue, do you see any CoA being sent by the PSN when the user clicks the AUP? That should be the only valid trigger mechanism to kick the wireless user off the air, and force them to perform another MAB - this time, the guest-flow would be True and the AuthZ should end in an 'access granted' ISE Authorization Profile.

If no CoA is sent, then I think there is some html/javascript/whatever on that page that is freaking out the iOS device.

0 Helpful

Leonterry
Level 1
Level 1
In response to Arne Bier

‎05-01-2024 06:21 AM

Hi Arnie,

I have done the packet capture before, no COA is being sent when the user clicks on the AUP.

Have tried different browsers and same outcome.

IOS is the latest one provided.

0 Helpful

Arne Bier
VIP
VIP

‎05-01-2024 02:03 PM

Searching for that error message reveals that this can also happen if the DNS is somehow broken at the crucial stage where the device needs to resolve a URL - it's a pity that this is happening on an iPhone (harder to troubleshoot). But I have a suggestion: install an app on the iPhone that allows you to test DNS - e.g. I use the free app 'NSLookup' - then reproduce the error and switch to this app to test whether the phone can resolve:

  1. FQDN of ISE Portal
  2. captive.apple.com

 

 

0 Helpful
Customers Also Viewed These Support Documents