Unfortunately both iOS and Android are restricting the capabilities of the pop up browsers effectively letting them do a simple mac authentication only including avoiding ability to download or even redirect thanks to HSTS. To circumvent this, we have identified one of the methods to avoid this. This method is not a clean-cut solution but still worthwhile IMO and we are evaluating to add this as a config option in Cloudpath itself.
Below are the high level steps
The benefit of above is since we are doing only mac auth initially, the CNA browser will work fine. Once the mac is registered AP/controller will drop the firewall and redirect the user to workflow2 for TLS onboarding. Since the device is allowed access (with a session timeout for about 5 mins), device should auto redirect to a full browser and user can complete the TLS onboarding. For Andorid users they will have a continue button that redirects it to workflow 2 automatically on a full browser.
All this is transparent to end user and their experience will be like a single workflow and this will avoid whitelist, HSTS redirection and CNA browser issues – this solves all 3 issues. It is a bit cumbersome to setup and could have some timing issues with mac auth to complete and TLS onboarding completion in that window but the benefits far outweigh the cons.
Stay tuned for CP 5.4 to have a more cleaner solution for the iOS and Android behavior changes.