Issue with SAML SSO based Password less BYOD flow for Apple devices

kshah2589 · ‎12-04-2023

Hello Community,

The SAML SSO based Password less flow(from Meraki >> Cisco ISE >> Microsoft Azure ) with windows and Android devices working properly. We are having challenges with Apple devices. when we connect Apple devices to SSID, the apple CNA(mini browser) pop up automatically and get redirected to Microsoft login page where we are putting username and then getting 2-digit code in authenticator app to confirm. After that, looks like the flow breaks and as a result we couldn’t complete a successful authentication and redirected back to ISE to complete next page in flow(ex: AUP).

However, Disabling CNA allowing us to manually go to browser and type in http website for automatic redirection and we can be able to complete successful authentication and access the internet.

Let me know what could be the reason and how can we remediate the issue?

Regards,

Kunal

kshah2589 · ‎12-11-2023

Just waiting to see if anyone has any suggestions.

Greg Gibbs · ‎12-11-2023

The Apple CNA is not a full-feature browser and is know to cause issues with some portal-based flows. There have also been multiple past instances in which Apple made changes to the CNA without notification which broke previously working flows.

If the flow works consistently with the CNA bypass feature enabled, the recommendation would be to keep it enabled and communicate the expected behaviour to your users.

kshah2589 · ‎12-13-2023

Hello Greg,

Please find the additional below observations from testing of different Apple devices with password less SSID. Apple CNA(mini browser) is enabled.

1). iPad/MacBook laptop

Connects to SSID >>> Apples Captive Network Assistant brings up the Captive Portal >>> user redirected to Microsoft login page >>> enters credentials and user prompted for 2-digit code in authenticator app to confirm identity >>> user redirected back to ISE for next steps(ex: AUP) >>> the flow works, and user can browse internet.

2).iPhone with two different scenarios.

A).iPhone connects to SSID with Microsoft authenticator app is in different device : the process is same as above mentioned >>>> the flow works, and user can browse internet.

B). iPhone connects to SSID with Microsoft authenticator app is also in same device : connects to SSID >>> Apples Captive Network Assistant brings up the Captive Portal >>> user redirected to Microsoft login page >>> enters credentials and user prompted for 2-digit code in authenticator app >>> User switches to Authenticator app to confirm identity, this action closes the Apple Captive Network Assistant(mini-browser) >>> which breaks the flow and user cannot proceed as Apple CNA starts again and repeats the above loop without success.

Let me know your thoughts and next steps we can take to fix the issue.

Regards,

Kunal Shah

hslai · ‎12-22-2023

@kshah2589 : I am with @Greg Gibbs that the issue is due to the wall-garden by the Apple CNA. Whenever we switch to another app, it terminates the wall-garden process.

kshah2589 · ‎12-22-2023

Hello hslai,

Thanks for reference. I am not sure what you mean by that, if you can rephrase for me. what's the solution to fix the issue because Android doesn't have the same issue?

Regards,

Kunal Shah

hslai · ‎12-26-2023

@kshah2589 Just as Greg already suggested,

> ... with the CNA bypass feature enabled.

Screenshot 2023-12-26 at 18.32.39.png

By comparison (at least on my Android test devices), the mini browsers on Android devices seem more capable in handling JavaScript, and multi-webpage on-boarding, and more flexible because it does not terminate the Internet connections when switched to Cisco Network Setup Assistant to complete the cert provisioning, etc.