Guest Anchor - Web Passthrough - Apple device web redirect issue

Similar Messages

• Guest access web authentication issue

  Hello experts-
  we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
  Has anybody any ideas?
  Thanks a lot, Martin

  First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.

• Stolen Apple device - Serial Number Issue

  I have recently lost my iPod touch device through property theft. I had iCloud on and "find my iphone" as well. I have found that no apple device can track without the help of cellular of wifi, however though using the device I can track my movements on mapping apps without actually being connected to any particular wifi or cellular network. This form of tracking does NOT work over iCloud functions, so there is no way for me to track my iPod touch. I have been told by Police to obtain my serial number which is registered to my apple account. What concerns me is that according to other posts people can hook my iPod touch up to another computer and iTunes, wipe it clean and re-register so they can use it themselves. Now I remember that when using older Microsoft programs I had to enter a serial number and register it online to use the program, and if all "uses" had been used I could not register and use that program. Similar I should assume applies to apple with its sophisticated policies, that a stolen device has to be registered before syncing with another computer by way of serial number and that I should get an email to say that somebody is trying to re-register my device on another computer. The same prompt system used for apple password changes. My main issue is that the iPod touch is forever registered to me unless I remove it, but does Apple allow a thief to register the same device, the same serial number twice? If that were so, there are laws in most countrys that would classify this as an accessory to a criminal act, allowing and encouraging a black market of stolen apple goods. Apple puts up a front with its "find my iphone" app, but doesn't the world agree that serial number tracking of registrations should play a part. I can give my serial number to the Police, but only apple will know if somebody has tried to register my device a second time. In short, can my iPod touch be wiped? (it is locked). Does apple have a policy indemnifying them of criminal black market activities? Can apple notify me if somebody tries to re-register my property? Can apple block re-registration attempts?

  gail from maine, you said
  "You said: What concerns me is that according to other posts people can hook my iPod touch up to another computer and iTunes, wipe it clean and re-register so they can use it themselves.
  "What I said was - no they cannot. Period. It is a brick to them.
  "So, your statement: All I have queried is if somebody COULD wipe the device and re-register it, then apple makes it easy to use a stolen device.
  "Is invalid, because someone CANNOT wipe the device if you have your device signed onto iCloud and you have the Find My iPhone application enabled. Since they cannot wipe it, they cannot use it. Apple has made it virtually impossible to use a stolen device."
  The OP said theyhave "iPod touch, iOS 6.1.6". That means they have a 4G. Theus, all onne has to do is place the iPod in recovery mode and restore via iTunes. Then they can use/sell the working iPod.
  iOS 7 introduced the Acivation Lock
  iCloud: Find My iPhone Activation Lock in iOS 7
  Which, while allowing restoring the device with recovery mode, does not allow use of the iPod unless the Apple ID andf Password of the previous owner is entered. Of the iPods, only the 5G iPod can go to iOS 7

• ISE 1.1.3 Guest portal (Web redirection) what worked for me !!!

  Hello,
  this document lead to multiple failure !!!!
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  This guy really helps !!!
  https://www.youtube.com/watch?v=TW2ZJVIZ8bs
  See attached screen captures.
  ISE documentation, even published by TAC is not reliable.
  Bring back the Cisco we liked so much 15 years ago !!!!!

  Hello Jan
  You can customize the look-and-feel of the end-user portals by uploading your company's logos, background images, or color schemes. These changes apply to the My Devices, Sponsor, and Guest portals, but you can assign different images and colors to the mobile Guest portal.
  These settings allow you to change the appearance of the portals without having to upload customized HTML files to the Cisco ISE server. However, if you want to create themes unique to specific Guest portals, you must upload your custom HTML files instead.
  Step 1 Choose Administration > Web Portal Management > Settings > General > Portal Theme.
  Step 2 Upload the graphics and change the color settings in the Style Settings section to customize the standard portals.
  Step 3 Upload the graphics and change the color settings in the Mobile Device Style Settings to customize the Guest mobile portal.
  Step 4 Click Save.

• Web redirecting issue when users reconnect guest ssid

  We are facing new issue on our controller for Guest SSID. This SSID used for Guest users and it is web base redirected to Aruba CPPM. First time web page redirects to controller virtual IP address and then Aruba CCPM.
  The scenario is as below
  - The user fills the form and gets redirected to a page where there is a login button which is grayed out till the sponsor approves the mail.
  -Once the sponsorer approves the mail, the login is highlighted and user connects to internet. 
  -Issue occurs when the user disconnects and connects to the SSID and tries to login again. There the user is redirected to controller management IP not on virtual IP.
  Controller Make Model:-5508
  IOS Version:- 7.5.102.0

  Well... you should upgrade to v7.6.110.0 as that code is deferred.  I don't know how you have your WLAN setup, is it use open and your using a pre-auth ACL?  Have you also posted in the AirHeads forum for suggestion?
  Post your show wlan <wlan ID>

• Aironet 1140 FLEXCONNECT External Web Authentication and Apple Devices

  Hi!
  I'm having an issue with this Access Point.
  I've configured this access point with WLC in mode FlexConnect with web authentication.
  It's all right, i'm connecting with my PC in wireless, i open my web browser in windows, then the Access Point redirect me to External Web Authentication Page,
  i put my credentials, and  i'm redirected to my access point ( https:/1.1.1.1/login.html i accept the certificate) and then the Access Point redirect me to Internet.
  I do this with my android phone, it's all right again.
  I try to connect with iphone or ipad , i'm  redirected to External Web Authentication Page, i put my credentials, and i'm  redirected to https://1.1.1.1/login.html where the web browser don't ask me anything and i'm not redirected to Internet.
  Have you any idea?

  Thx you Scott, i understand what are you talking about, but my problem is different.
  I try to explain..
  I see the wireless network, i associate the iphone to this network, so i'm  redirected to Login page,
  as i use the "Apple Login" or i Open a Web Page .
  In this page , that i reach with all devices i put my credentials, then i will be redirected with all devices
  back to Access Point (https://1.1.1.1/login.html).
  In this page i should be   redirected to internet after Radius Authentication, but with Apple Devices this doesn't work.
  This is thw WEB AUTHENTICATION from Cisco Documents.
  The user associates to the web authentication SSID.
  The user opens their browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL.

• Web Auth using 5760 Guest Anchor and ISE

  I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
  When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
  As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
  Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

  I hope this may help you
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• My iPad Mini with retina display suddenly will not connect to the Internet. It shows full wifi bars, yet no web pages will load. My Internet is working with all other apple devices in my house. The iPad also no longer works with celluar data.

  My iPad Mini with retina display suddenly will not connect to the Internet. It shows full wifi bars, yet no web pages will load. My Internet is working with all other apple devices in my house. The iPad also no longer works with celluar data. I'm not sure what has happened. It was working fine a few hours ago. I have tried resetting it, ive restarted my browser etc. I tried to erase all data from my Ipad but I can't do that because it needs to sign into my Apple ID and use the Internet!

  Some things to try first:
  1. Turn Off your iPad. Then turn Off (disconnect power cord for 30 seconds or longer) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
  2. Go to Settings>Wi-Fi and turn Off. Then while at Settings>Wi-Fi, turn back On and chose a Network.
  3. Change the channel on your wireless router (Auto or Channel 6 is best). Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
  4. Go into your router security settings and change from WEP to WPA with AES.
  5.  Renew IP Address: (especially if you are drooping internet connection)
      •    Launch Settings app
      •    Tap on Wi-Fi
      •    Tap on the blue arrow of the Wi-Fi network that you connect to from the list
      •    In the window that opens, tap on the Renew Lease button
  6. Potential Quick Fixes When Your iPad Won’t Connect to Your Wifi Network
  http://ipadinsight.com/ipad-tips-tricks/potential-quick-fixes-when-your-ipad-won t-connect-to-your-wifi-network/
  ~~~~~~~~~~~~~~~~~~~~~~~~~
  Fix WiFi Issue for iOS 7
  http://ipadnerds.com/fix-wifi-issue-ios-7/
  iOS 6 Wifi Problems/Fixes
  Wi-Fi Fix for iOS 6
  https://discussions.apple.com/thread/4823738?tstart=240
  How To: Workaround iPad Wi-Fi Issues
  http://www.theipadfan.com/workaround-ipad-wifi-issues/
  Another Fix For iOS 6 WiFi Problems
  http://tabletcrunch.com/2012/10/27/fix-ios-6-wifi-problems-ssid/
  Wifi Doesn't Connect After Waking From Sleep - Sometimes increasing screen brightness prevents the failure to reconnect after waking from sleep. According to Apple, “If brightness is at lowest level, increase it by moving the slider to the right and set auto brightness to off.”
  Fix For iOS 6 WiFi Problems?
  http://tabletcrunch.com/2012/09/27/fix-ios-6-wifi-problems/
  Did iOS 6 Screw Your Wi-Fi? Here’s How to Fix It
  http://gizmodo.com/5944761/does-ios-6-have-a-wi+fi-bug
  How To Fix Wi-Fi Connectivity Issue After Upgrading To iOS 6
  http://www.iphonehacks.com/2012/09/fix-wi-fi-connectivity-issue-after-upgrading- to-ios-6.html
  iOS 6 iPad 3 wi-fi "connection fix" for netgear router
  http://www.youtube.com/watch?v=XsWS4ha-dn0
  Apple's iOS 6 Wi-Fi problems
  http://www.zdnet.com/apples-ios-6-wi-fi-problems-linger-on-7000004799/
  ~~~~~~~~~~~~~~~~~~~~~~~
  iPad: Issues connecting to Wi-Fi networks
  http://support.apple.com/kb/ts3304
  How to Boost Your Wi-Fi Signal
  http://ipad.about.com/od/iPad_Troubleshooting/a/How-To-Boost-Your-Wi-Fi-Signal.h Mt
  Troubleshooting a Weak Wi-Fi Signal
  http://ipad.about.com/od/iPad_Troubleshooting/a/Troubleshooting-A-Weak-Wi-Fi-Sig nal.htm
  How to Fix a Poor Wi-Fi Signal on Your iPad
  http://ipad.about.com/od/iPad_Troubleshooting/a/How-To-Fix-A-Poor-Wi-Fi-Signal-O n-Your-iPad.htm
  iOS Troubleshooting Wi-Fi networks and connections  http://support.apple.com/kb/TS1398
  iPad: Issues connecting to Wi-Fi networks  http://support.apple.com/kb/ts3304
  WiFi Connecting/Troubleshooting http://www.apple.com/support/ipad/wifi/
  How to Fix: My iPad Won't Connect to WiFi
  http://ipad.about.com/od/iPad_Troubleshooting/ss/How-To-Fix-My-Ipad-Wont-Connect -To-Wi-Fi.htm
  iOS: Connecting to the Internet http://support.apple.com/kb/HT1695
  iOS: Recommended settings for Wi-Fi routers and access points  http://support.apple.com/kb/HT4199
  How to Quickly Fix iPad 3 Wi-Fi Reception Problems
  http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
  iPad Wi-Fi Problems: Comprehensive List of Fixes
  http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
  Connect iPad to Wi-Fi (with troubleshooting info)
  http://thehowto.wikidot.com/wifi-connect-ipad
  10 Ways to Boost Your Wireless Signal
  http://www.pcmag.com/article2/0,2817,2372811,00.asp
  Fix iPad Wifi Connection and Signal Issues  http://www.youtube.com/watch?v=uwWtIG5jUxE
  Fix Slow WiFi Issue https://discussions.apple.com/thread/2398063?start=60&tstart=0
  How To Fix iPhone, iPad, iPod Touch Wi-Fi Connectivity Issue http://tinyurl.com/7nvxbmz
  Unable to Connect After iOS Update - saw this solution on another post.
  https://discussions.apple.com/thread/4010130
  Note - When troubleshooting wifi connection problems, don't hold your iPad by hand. There have been a few reports that holding the iPad by hand, seems to attenuate the wifi signal.
  Some Wi-Fi losses may stem from a problematic interaction between Wi-Fi and cellular data connections. Numerous users have found that turning off Cellular Data in Settings gets their Wi-Fi working again.
  You may have many apps open which can possibly cause the slowdown and possibly the loss of wifi. In iOS 4-6 double tap your Home button & at the bottom of the screen you will see the icons of all open apps. Close those you are not using by pressing on an icon until all icons wiggle - then tap the minus sign. For iOS 7 users, there’s an easy way to see which apps are open in order to close them. By double-tapping the home button on your iPhone or iPad, the new multitasking feature in iOS 7 shows full page previews of all your open apps. Simply scroll horizontally to see all your apps, and close the apps with a simple flick towards the top of the screen.
  Wi-Fi or Bluetooth settings grayed out or dim
  http://support.apple.com/kb/TS1559
  ~~~~~~~~~~~~~~~
  If any of the above solutions work, please post back what solved your problem. It will help others with the same problem.
   Cheers, Tom

• ISA570W - web filtering issue - apple device update

  Hi,
  I have got a ISA570W - FW 1.1.17
  here are two scenarios which fail trying to update my apple device. The result is error 1403 - which means no access to gs.apple.com
  first scenario:
  active web url filter: bocked category: advertisments
  degugging the log file, I couldn't find any entry blocking this request!
  solution:
  adding gs.apple.com the the allow list
  second scenario:
  activation the web reputation filter, with or without the web url filter as described above, I got the same error and again, no blocked entry in the debug log-file. adding gs.apple.com to the allow list won't change this behavior.
  well, can anybody explain this behavoir?
  thanks in advance
  Mike
  PS: how can I check the category of an url?
  Nachricht geändert durch Michael Schwartz:
  the workaround adding gs.apple.com doesn't work for iphone5.
  Debug-log:http_parse_buffer_info: 540, HOST=gs.apple.com:80,hostlen=15
  Kind of strange behavior! why is this request blocked???

  Hi Michael thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I apologize for the issue you are having, I have a question for you, did you set any restriction in your ISA, before create "allow" policy?
  Here you can find the URL polices, Firewall > Content Filtering > Content Filtering Policies. You can see more information in this link.
  http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3522
  I hope you find this answer useful,
  *Please mark the question as Answered or rate it so other users can benefit from it"
  Greetings,
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• Apple Devices ISE GUEST REDIRECT

  Dears,
  All our devices connecting to corporate SSID and Guest SSID
  when connecting to Guest SSID all devices connect and  been redirected to  ISE Guert portal
  BUT APPLE devices just stays on loading page to Ise server page for guest portal and nothing happens
  i used 
  config network captive bypass command and reboot it doesnt help

  You need to do a bit more testing. What I would do is create a new WLAN for testing using the internal auth portal and define the WLAN the same as your guest with the exception of radius, aaa override and radius nac. Have user use that and your self use that on your phone and see if you have to login every so often. Right now, every hour the users device goes to sleep (iOS especially), they would need to login again.  Maybe your aaa is overwriting the timer or something else, that's why testing with a different wlan will help you understand if it's a radius, WLC, or maybe device issues.  You only have one WLC so roaming shouldn't break this  
  -Scott

• Web-redirect to external radius not wokring on some browsers for Guest SSID

  Hi,
  We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
  working browsers: IE9.0 and IE 11.0
  Non-working: Chrome all versions, Firefox all versions, Safari all versions.
  Can anyone provide some help if they have seen  this issue before.?

  You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.

• Why are all my Apple devices not connecting to the web?

  I have an Airport express and has been working fine up until recently. Now none of my Apple devices are connecting to the web. They all find the network no problem and all connect however they will not connect to the internet. The strange thing is that our Windows laptop works fine but absolutly nothing from Apple, this includes a 2011 MacBook pro, iphone 3gs, ipod touch, Apple tv and 2x 2nd gen ipads. I have reset the airport and  set up a new network, it worked for one day and is back to how it was. Any advice would be great

  I seem to be having a similair issue. I have an AirPort Extreme and my iMac connects fine but now my Kindle and Netflix are unable to connect to the Internet? They see my network but just can't connect to the internet?
  I used to have my cable modem connected to a Vonage phone router, which then connected to my Airport. Everything worked fine then. I recently canceled my Vonage service and removed the phone router. Now my cable modem is connected directly to my Airport. Did removing the phone router casue my problem? Do I need to re-set something to get my kindle and Netflix to work again?

• Guest Portal web page load is slow and timesout on occasions

  Hi All,
  I'm hitting a rather unusual issue with our Guest WLAN users.  Firstly let me describe the topology:-
  2 x 5508 WLC controllers one Foreign and one Anchor.  Mobility tunnel between the two WLC's as the Guest WLAN is on the WLC sitting in the DMZ.
  30+ 2702i AP's running in FlexConnect mode for Dot1X WLAN and Central Switching for Guest WLAN.
  Cisco ISE 1.3 acting as Radius server and providing Authentication and Authorisation policies.
  Dot1x Authentication and Authorisation works fine with Dynamic VLAN assignment based on AD memberships.
  The issue is with the Guest WLAN is that from a security perspective we weren't allowed to use the Central Web Authentication using L2 MAC filtering with the L3 Security of None as described in Cisco Document: 115732.
  So the Guest WLAN has been set up with no L2 security and the L3 Security of Web Policy with Web Authentication to External Server i.e. Cisco ISE and RADIUS override on the Advanced tab of the Guest WLAN.
  So a client connects to the Guest WLAN SSID > receives the DHCP IP address hosted by the Anchor WLC and then one opens a  browser types in the URL and the Security message is presented > Continue to this website (not recommended) selected and the process of receiving the Web Redirect Sign On Web page begins and hangs around forever.
  Depending on the Client i.e. Apple IPAD the sign on page loads correctly although can be slow to start with but a successful login is completed, but with windows clients and MAC Air books there is an issue with the browser either timing out the page and a retry is necessary or we can't move beyond the following page -  https://x.x.x.x:8443/portal /PortalSetup.action?portal=194a5780-5e4e-11e4-b905-005056bf2f0a?switch_url=https://1.1.1.1/login.html&client mac=00:23:4e:86:98:3c&wlan=GUEST&redirect=www.cisco.com/
  Any suggestions would be really appreciated with this as it's creating a lot of frustration.
  Thanks in advance.
  Regards,
  Mark

  Hi Mark,
  Yes Guest Cert will need to be external. Because Guest Users if they have a non-corporate laptop for example will not have your Internal Company Certs installed in their browser (that you loaded onto ISE), so they cannot trust your internal Cert.
  If your open Firefox or IE under Options/Security View Certificates you will see a list, if its a Guest you will see well known public Certs like Geotrust, Verisign etc.
  For my setup I brought a GeoTrust cert and loaded this into ISE, this way Guests will always Trust the Geostrust ISE cert like https://guest.com for example and the login will appear and be trusted.

• ISE CWA redirection problem for Apple devices

  Hi,
  I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
  I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
  Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
  The problem doesn't appear for devices with iOS 6 but only for newer versions.
  I've also tried with version 8.0 on WLC without success.
  Any advise?
  Regards. 

  Captive portal/wispr support for apple ios7
  CSCuj18674
  Description
  Symptom:
  When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
  Conditions:
  The Apple device is running Apple iOS 7.
  Workaround:
  In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
  IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.