https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4009322#M454670 <P>First, disabling the ISE policy authorisation condition <STRONG>MAC_in_SAN</STRONG> is not an option. This is part of the security and the only way to check the identity of the client device.</P><P>&nbsp;</P><P>I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.</P><P>&nbsp;</P><H1>Devices that currently use a BYOD service.</H1><P>Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.</P><P>The following menu options may be different on different Android devices but the principle is the same.</P><H2>Before you re-on-board</H2><OL><LI>Forget both the Open and 802.1X SSID networks on your android device.</LI><LI>Remove the network user credentials.</LI><LI>On the phone: <STRONG>Settings -&gt; Security -&gt; Advanced -&gt; Encryption -&gt; Clear Credentials</STRONG>.</LI></OL><P><EM>It is recommended to restart the device.</EM></P><H1>To on-board with Android 10</H1><OL><LI>Connect to 802.1X SSID. It will fail to connect but should then show as a <STRONG>Saved</STRONG> network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -&gt; Privicy option).</LI><LI>Connect to Open SSID and configure it to “Use device MAC”</LI><LI>Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.</LI><LI>Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)</LI></OL><P>Hope this helps others.</P> Fri, 10 Jan 2020 10:16:43 GMT Scott Gillies 2020-01-10T10:16:43Z https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4008000#M454668 <P>I have just upgraded my OnePlus 6 to Android 10. It has broken my EAPTLS BYOD service because it now automatically uses Randomised MAC when connecting to wireless networks.</P><P>My ISE authorisation policy includes the condition "MAC_in_SAN" which my device now fails on. Remove the condition and it works.</P><P>Now you can actually configure it to "Use device MAC" but the default is "Use randomised MAC (default)" <FONT size="4" color="#FF0000"><STRONG>BUT</STRONG> </FONT>To add insult to injury the upgrade has also changed my device Wireless MAC address which also breaks the "MAC_in_SAN" policy condition.</P><P>&nbsp;</P><P>Do Cisco have any guidance on this?</P> Thu, 10 Mar 2022 07:25:53 GMT https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4008000#M454668 Scott Gillies 2022-03-10T07:25:53Z https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4008252#M454669 <P>That is correct, with Android 10 BYOD registered and MAC-in-SAN condition will not work. What you have is what we recommend. <A href="https://community.cisco.com/t5/security-documents/ise-byod-endpoint-notes/ta-p/3857246#toc-hId--1243681234" target="_blank">https://community.cisco.com/t5/security-documents/ise-byod-endpoint-notes/ta-p/3857246#toc-hId--1243681234</A></P> <P>&nbsp;</P> Wed, 08 Jan 2020 16:35:41 GMT https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4008252#M454669 howon 2020-01-08T16:35:41Z https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4009322#M454670 <P>First, disabling the ISE policy authorisation condition <STRONG>MAC_in_SAN</STRONG> is not an option. This is part of the security and the only way to check the identity of the client device.</P><P>&nbsp;</P><P>I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.</P><P>&nbsp;</P><H1>Devices that currently use a BYOD service.</H1><P>Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.</P><P>The following menu options may be different on different Android devices but the principle is the same.</P><H2>Before you re-on-board</H2><OL><LI>Forget both the Open and 802.1X SSID networks on your android device.</LI><LI>Remove the network user credentials.</LI><LI>On the phone: <STRONG>Settings -&gt; Security -&gt; Advanced -&gt; Encryption -&gt; Clear Credentials</STRONG>.</LI></OL><P><EM>It is recommended to restart the device.</EM></P><H1>To on-board with Android 10</H1><OL><LI>Connect to 802.1X SSID. It will fail to connect but should then show as a <STRONG>Saved</STRONG> network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -&gt; Privicy option).</LI><LI>Connect to Open SSID and configure it to “Use device MAC”</LI><LI>Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.</LI><LI>Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)</LI></OL><P>Hope this helps others.</P> Fri, 10 Jan 2020 10:16:43 GMT https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4009322#M454670 Scott Gillies 2020-01-10T10:16:43Z https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4009668#M454671 <P>The randomized mac should be a setting in the wireless/advanced. Can't you just turn it off?</P> Fri, 10 Jan 2020 20:20:00 GMT https://community.cisco.com/t5/network-access-control/byod-broken-with-android-10-wireless-randomised-mac/m-p/4009668#M454671 Dustin Anderson 2020-01-10T20:20:00Z