Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎08-15-2019 08:47 AM Edited on ‎03-27-2023 08:37 AM By Moderator

Article Id 191132

Troubleshooting Tip: iPhones not redirected to captive portal

Description


This article describes troubleshooting steps for an issue where iPhones with a cellular data connection are not redirected to the captive portal. The guide will also provide steps on how to verify the FortiNAC configuration of a captive network assistant.

 
Scope
 
Any supported version of FortiNAC.


Solution

 

When an iPhone is isolated, it may not be redirected by FortiNAC to the captive portal if there is a cellular data connection. Disabling cellular data causes the redirect to work immediately.

This behavior can occur when the iPhone feature 'Wi-Fi Assist' activates and automatically switches the phone to cellular data instead of Wi-Fi.  For more information, see the following Apple article: https://support.apple.com/en-us/HT205296.
 
As in the above article, this feature is enabled by default.


1) Workaround:

 

Option 1: Turn off Wi-Fi Assist.
Option 2: Turn off Cellular data.
Option 3: Enable the Captive Network Assistant feature, which automatically displays a popup page when connecting to an SSID. For details and configuration instructions, refer to Enabling Captive Network Assistant in the Fortinet Document Library.

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/dea9b457-b3cd-11e9-a989-005056...

 

When enabling the Captive network Assistant and performing the relevant configuration as described, it is necessary to save the configuration.

 

The 'Save' button is insufficient since it will not restart the web-service and apply the configured rules.

 

2) Validate FortiNAC configuration when the portal does not appear on iPhone devices:

 

a) Go to System -> Scheduler and select 'Auto-Definition Synchronizer', then select 'Run now':
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/67789/auto-definition-updates

b) Perform an OS update from the FortiNAC CLI:


# yum -y update

 

c) Go to Network -> Settings -> Control -> Allowed Domains.

Remove any domains related to iCloud or Apple such as the following:

 

icloud.com
apple.com
akamaiedge.net
akamaitechnologies.com
appleiphonecell.com
www.airport.us
edgekey.net
aaplimg.com
akadns.net

 

d) Double-check the steps were correctly followed for CNA for iPhones. See pages 7-9 in the following guide:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/8b7c4f99-1e56-11ed-9eba-fa163e...

e) After completing the previous steps:

Go to Portal SSL - > Request Processing Rules. Select the 'Publish' button in the top right to apply the configuration.

The publish process will automatically sort and write the configured rules to Apache and restart the portal web server. After that, the captive portal should automatically show for Iphone users depending on the configuration.

 

Related article:

https://community.fortinet.com/t5/FortiNAC/Technical-Note-Troubleshooting-Automatic-Captive-Portal/t...

2741
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.