In my lab, I try to explore scenarios that either I have come across in my design meetings or ones that I feel will be useful in future designs. Since ISE has been around for a bit now, many engineers have already hit the issue where an Apple iPad (or iPhone, iPod Touch) doesn’t quite get to the ISE redirection page. Instead, you end up with a (for the most part) blank page. Apple implemented their Captive Network Assistant (CNA) which basically senses when a captive portal (like the WebAuth page) is being presented. To detect this behavior, the Apple device sends a request to http://www.apple.com/library/test/success.html to see if it gets a response. If it does, it knows a captive portal isn’t being used. If it does not get a response, it assume a captive portal is in use and CNA auto-launches a broswer window so as to get a leg-up on the portal login – trying to make sure the user doesn’t get stuck trying to use an app but not realizing they have to login to the captive portal first. Sounds like a fair plan but this ends up causing a “controlled window” to pop up that ends up blank.
There are a couple of workarounds that I know about, but only one that is really feasible.
1) You can disable auto-login under WLAN settings on the Apple device. This of course requires a user to know how to do that – or a call to the help desk for assistance.
2) On the Cisco WLC (Wireless LAN Controller), there is a CLI only command that will bypass this “controlled windows” behavior on the Apple device.
(Controller)> config network web-auth captive-bypass enable
With solution #2, you can now see the WebAuth redirect page in the Apple device’s browser.
If you find errors, have a better solution, or just some comments, please add to the knowledge!
**Update: I hear that iOS 7 is going to change the behavior of Apple’s CNA. So, if you have the above solution in place, iOS 7’s CNA will work differently. Cisco is going to put out WLC 7.4 MR2 code sometime this month (hopefully) that will work with the new CNA. Be looking for that release.