Cisco Identity Services Engine

Apple iDevices and OSX Machines Do Not Display ISE or WLC Redirect Page Problem Resolution

Document ID: 116041

Updated: Apr 09, 2013

Contributed by Jesse Dubois, Cisco TAC Engineer.



This document describes how to add a feature to a Cisco Wireless LAN Controller (WLC) that bypasses the Apple Captive Network Assistant (CNA) on iDevices and OS X machines. This feature solves the problem of a redirect page that does not appear.



Cisco recommends that you have knowledge of these topics:

  • Cisco WLC
  • Apple CNA

Components Used

The information in this document is based on these software and hardware versions:

  • Apple iDevices and Apple OS X machines on version 7.1 or higher
  • Cisco WLC, Version or higher

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to Cisco Technical Tips Conventions for information on document conventions.

Background Information

When an Apple iDevice (such as an iPad, iPod, or iPhone) or an Apple OS X machine (on version 7.1 or higher) connects to a wireless network, it sends a request to a success page on the Apple website.

  • If the success page is returned, the device assumes it has network connectivity and no action is taken.
  • If the success page is not returned, an Apple feature called the Captive Network Assistant (CNA) assumes there is a captive portal. CNA then launches a browser to prompt the user with the login page from the captive portal. The CNA browser is limited in function and, when closed, disconnects the device from the wireless network.


The user does not see the configured captive portal page when connected through the Cisco WLC. Instead, the user sees this blank page from the Apple website:


The captive portal can be hosted on either the WLC or on an external server such as a Cisco Identity Services Engine (ISE). Due to the limited capability of the CNA browser, the content of the page cannot be displayed, and a blank page is shown instead. When the blank page is displayed and the CNA browser is closed, the device disconnects from the wireless network and the user cannot open the full browser page and log in.


Version or higher of the Cisco WLC contains a feature that bypasses the CNA feature on Apple devices. This feature is only available in the command-line interface (CLI).

config network web-auth captive-bypass enable

Reboot the controller for this feature to take effect. The next time a device logs onto the wireless network, the user must manually open a browswer to be redirected to the captive portal.

Related Information

Updated: Apr 09, 2013
Document ID: 116041