topic Re: BYOD device stuck in pending state and device removal in Network Access Control

BYOD device stuck in pending state and device removal

Madura Malwatte — Thu, 11 Oct 2018 12:59:12 GMT

I have this issue and some unexpected behaviour with byod.

First when I go through the byod registration processes everything seems well and after I complete registration, I hit the correct authz policy (byod registered + compliant), I do the temporal agent install and posture check as well. My device gets full access as expected. However if in the mydevices portal the device is always in pending state. It never transitions to registered state, even though device has done CoA to the correct authz policy.

the question is how do I go about removing a device? the only option I have is "delete", when I do this, device is deleted, but the native dot1x settings remain on the device (which was configured by the windwos sp wizard), so when the device connects to the network again, im getting pushed into my dot1x policy (obviously because the dot1x is still enabled on the device) and then hitting the default policy which takes me to a dead end. The device can never hit the portal and try to register itself again.

I guess trying to "delete" a byod device is not the correct way to go? Would doing "unenroll" actually remove the dot1x settings from the device, so when it tried to connect to the network will hit my mab policy and then get the web auth redirect?

Questions:

1. Why is the device stuck in "pending" state and never transition to "registered" even though the registration process seems to have worked correctly?

2. How can I get the device to hit the portal and go through registration again if it is deleted or removed as a byod registered device?

Re: BYOD device stuck in pending state and device removal

Jason Kunst — Thu, 11 Oct 2018 13:22:58 GMT

Please review the guide on proper policies

https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867

Pending state is a cosmetic issue and doesn’t affect operation

Re: BYOD device stuck in pending state and device removal

Madura Malwatte — Thu, 11 Oct 2018 14:07:59 GMT

Thanks Jason, but I have been through this guide. I'm testing wired on-boarding by the way. I had waited a few hours and still the device was in pending state. (it mentions 20 minutes to transition in the guide).

Also there is no mention on correct removal process of registered device so it can re-register.

Re: BYOD device stuck in pending state and device removal

Jason Kunst — Thu, 11 Oct 2018 14:57:58 GMT

Pending is cosmetic issue unfortunately

Please remember this solution is not an EMM/MDM management product. It’s a way to onboard personal devices that you have no controls over. Because of this there is no way to remove through ISE the supplicant and certificate provisioned on the device. This is a manual process of removing the supplicant settings using that cert and is different depending on the device type and OS version.

If you remove an endpoint from ISE BYODRegistered state or group then you can force them through authorization.
This will also force them through if you remove the certificate from the endpoint or revoked the certificate as its not valid anymore
PEAP > TLS network
Example authorization profiles
if BYODRegistered and EAP-TLS certificate valid then permit access
if PEAP then redirect to onboarding flow

OPEN > TLS network
if BYODRegistered and EAP-TLS certificate valid then permit access
otherwise redirect to guest portal

Re: BYOD device stuck in pending state and device removal

Madura Malwatte — Thu, 11 Oct 2018 15:48:58 GMT

Hi Jason,

Thanks for confirming the behaviour. So seems in pending state the unenroll
and unregister options are not available?

Great, this is what I was looking for, a way to force through
authorization. I'll give it a go!

Re: BYOD device stuck in pending state and device removal

Jason Kunst — Thu, 11 Oct 2018 15:51:58 GMT

There is no unenroll or unregister options, you can either mark a device as lost or stolen correct? Are you talking about integrating with MDM state as well?

Re: BYOD device stuck in pending state and device removal

Madura Malwatte — Thu, 11 Oct 2018 15:52:52 GMT

Also is there a bug ID for the pending cosmetic issue?

Re: BYOD device stuck in pending state and device removal

Jason Kunst — Thu, 11 Oct 2018 15:54:58 GMT

Yes there are several I believe

Re: BYOD device stuck in pending state and device removal

jdurkin — Wed, 11 Dec 2019 20:49:23 GMT

What is BugID? I can't find it.

Jim