Cisco ISE and Cisco WLC

Hello all,

I am unsure if this is the right place to put this, so if it isn't, please let me know a better place to put it.

At my job, we are having an issue with iPhones (Maybe all Apple devices, but I'm not sure), Cisco ISE, and Cisco WLC 5520.

We have an SSID named "X-Wifi" that is used for employees to connect their personal devices so that they can get Internet access. The SSID is set up to go through a Guest Flow in ISE, and the employee gets a browser re-direct to ISE asking them to authenticate themselves using their AD credentials.

ISE is set up so that the employees are required to re-authenticate themselves every 30 days. On Andriod phones, this works fine. Every 30 days, the Andriod phone user gets redirected to ISE, where they enter their AD credentials again, and they get Internet access again. On iPhones, this re-authentication process does not work. After 30 days, the iPhone user does not get re-directed to ISE, so they never re-authenticate, so they lose Internet access.

The work-around that we have been using is to have the iPhone user Forget the X-Wifi network, and then re-connect to it. Once they re-connect to it, they get the browser redirect to ISE requesting that they enter their AD credentials.

We use ISE version 2.4.0.357 Patch 11, and WLC 5520 version 8.10.112.0.

I thought that it is caused by Apple's CNA feature, however, everything I have seen on it says that the initial re-direct won't work if that is causing the issue. Also, I read that the fix for that issue is disabling captive portal bypass on the WLC, which it is disabled at the global level and the WLAN level is set to None.