Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
2
Helpful
9
Replies

IOS is not redirecting to the BYOD portal.

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎02-07-2024 06:51 PM

I'm testing BYOD.

WINDOWS and ANDROID can be redirected to the BYOD portal.

However, IOS is not redirected to the portal.

Are there any URLs I should add to the URL filter?

I've followed a combination of guides, but I'm not sure if what I've set up is correct.

 

2024-02-08 11 44 22 (2).png

2024-02-08 11 44 22.png

2024-02-08 11 44 22 (3).png2024-02-08 11 44 22 (4).png2024-02-08 11 44 22 (5).png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to JustTakeTheFirstStep

‎02-12-2024 07:56 PM

@JustTakeTheFirstStep , the URLs defined in URL filter defines what traffic will be exempted from redirection. If you want the redirect to happen when the browser is directed to 'gstatic.com' then you would not want that defined in the URL filter.

The expected behaviour (and what I see in my lab with my iPad [OS 17.2] and ISE 3.2 is the following:

  • With captive portal bypass disabled, the redirect happens and the ISE portal returns the error 'This browser is not currently supported'
  • With capture portal bypass enabled, after the initial SSID connection, the user must manually open a browser and input a URL that initiates the redirect (I use 'http://neverssl.com' as HTTPS redirects can be problematic). At that point the redirect happens and the BYOD enrolment flow can be followed.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-07-2024 07:23 PM

With captive bypass enabled, you would have to manually open a browser on the IOS device and browse to an HTTP page (like http://neverssl.com).

When you do so, it should redirect you to the ISE BYOD portal.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎02-07-2024 07:37 PM

Oh the wording in the IOX-XE GUI is probably not helpful. Does "Captive Bypass Portal" ticked mean that the CNA (Captive Networking Assistant from iOS) is being bypassed?  In other words, "Captive Portal bypass" ?  If so, then untick that. You don't want to bypass the iOS CNA.  The CNA is like a "mini browser" that the iOS uses for open ssid logins.  

If you bypass the CNA, then the user is not redirected automatically. They will have to trigger a manual re-direction by opening a browser to http://1.1.1.1/ or whatever. 

0 Helpful

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎02-07-2024 07:48 PM

@JustTakeTheFirstStep 

if Bypass the CNA, you will need to trigger a manual redirect browsing a URL (e,g www.cocheno.com)

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-07-2024 08:46 PM

The Apple CNA causes many issues with portal flows like BYOD, so it's best practice to have the Captive Portal Bypass enabled and train your users to manually open a browser for the redirect.

With IOS, if you disable the bypass option on the SSID, you will likely get a message from the BYOD portal (served up from the CNA) stating that the browser is not supported.

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Greg Gibbs

‎02-12-2024 06:46 PM - edited ‎02-12-2024 07:44 PM

@Arne Bier @Greg Gibbs @Ruben Cocheno 

2024-02-13 10 58 42.png

Adding gstatic.com to the URL Filter and attempting to access the internet from a Chrome browser redirects to the BYOD Portal.

The redirect to BYOD Portal succeeds regardless of whether Captive Portal Bypass is enabled/disabled on the controller.

IMG_4035.PNG

When press Start in the BYOD portal on a Chrome browser, show the message "This browser is not currently supported"

However, it does not redirect to the BYOD Portal in Safari browser.

What do I need to do?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to JustTakeTheFirstStep

‎02-12-2024 07:56 PM

@JustTakeTheFirstStep , the URLs defined in URL filter defines what traffic will be exempted from redirection. If you want the redirect to happen when the browser is directed to 'gstatic.com' then you would not want that defined in the URL filter.

The expected behaviour (and what I see in my lab with my iPad [OS 17.2] and ISE 3.2 is the following:

  • With captive portal bypass disabled, the redirect happens and the ISE portal returns the error 'This browser is not currently supported'
  • With capture portal bypass enabled, after the initial SSID connection, the user must manually open a browser and input a URL that initiates the redirect (I use 'http://neverssl.com' as HTTPS redirects can be problematic). At that point the redirect happens and the BYOD enrolment flow can be followed.
0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Greg Gibbs

‎02-12-2024 09:23 PM - edited ‎02-12-2024 09:27 PM

@Greg Gibbs 

Removed gstatic.com from the URL filter.

2024-02-13 14 26 04.png

Wich Captive portal bypass disabled,

not automatically ridirected. manually opened the browser and entered the URL to start the redirect. show the message "This browser is not currently supported"

Wich Captive portal bypass enabled,

manually opened the browser and entered the URL to start the redirect. show the message "This browser is not currently supported"

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to JustTakeTheFirstStep

‎02-13-2024 01:29 PM - edited ‎02-13-2024 01:29 PM

I can't replicate this issue in my lab (which is using an AireOS WLC). You might need to open a TAC case to investigate in more detail.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎02-07-2024 09:13 PM

Oh yes of course. This is BYOD and not Guest Portals. Not a pretty workflow for iOS then. 

0 Helpful
Customers Also Viewed These Support Documents