https://community.cisco.com/t5/network-access-control/issues-deauthenticating-android-tv-in-ise/m-p/4192801#M564144 <P>Hi,</P><P>&nbsp;</P><P>We have several Android TVs (OS Android 7.1.2 ) where 6 months after installed the TV were deauthenticated. TVs were connected by wifi but with no internet access. TVs needed to enter the credential WIFI again to work on internet.</P><P>&nbsp;</P><P>TVs are connected to WLC and send radius requests to ISE (MAB).</P><P>&nbsp;</P><P>In ISE Radius report, i can see like the day which stop internet the "endpoint profile" changes from ANDROID to UNKNOWN. it could be the trigge??</P><P>&nbsp;</P><P>Is there any session time for 6 months configure in ISE or WLC?</P><P>&nbsp;</P><P>any idea?</P> Thu, 03 Dec 2020 14:33:06 GMT SupportAC 2020-12-03T14:33:06Z https://community.cisco.com/t5/network-access-control/issues-deauthenticating-android-tv-in-ise/m-p/4192801#M564144 <P>Hi,</P><P>&nbsp;</P><P>We have several Android TVs (OS Android 7.1.2 ) where 6 months after installed the TV were deauthenticated. TVs were connected by wifi but with no internet access. TVs needed to enter the credential WIFI again to work on internet.</P><P>&nbsp;</P><P>TVs are connected to WLC and send radius requests to ISE (MAB).</P><P>&nbsp;</P><P>In ISE Radius report, i can see like the day which stop internet the "endpoint profile" changes from ANDROID to UNKNOWN. it could be the trigge??</P><P>&nbsp;</P><P>Is there any session time for 6 months configure in ISE or WLC?</P><P>&nbsp;</P><P>any idea?</P> Thu, 03 Dec 2020 14:33:06 GMT https://community.cisco.com/t5/network-access-control/issues-deauthenticating-android-tv-in-ise/m-p/4192801#M564144 SupportAC 2020-12-03T14:33:06Z https://community.cisco.com/t5/network-access-control/issues-deauthenticating-android-tv-in-ise/m-p/4193166#M564158 <P>A couple of things to consider: Take a peek at your global profiling coa setting to see if you have it set to reauth after an endpoint profile change (Administration-&gt;System-&gt;Settings-&gt;Profiling).&nbsp; Here are your options:</P> <UL class="ul"> <LI id="ID481__li_5717B05BA9DC4C49BAACDE78AC0F8F29" class="li"> <P class="p SBu1_StepBullet1-7D351ED8"><STRONG id="ID481__ID492" class="ph b B_Bold-7204837A">No CoA</STRONG><SPAN>&nbsp;</SPAN>(default)—You can use this option to disable the global configuration of CoA. This setting overrides any configured CoA per endpoint profiling policy. If the goal is only visibility, retain the default value as<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">No CoA</SPAN>.</P> </LI> <LI id="ID481__li_1A25C7CCF4A8431C9B052C8B7423DB45" class="li"> <P class="p SBu1_StepBullet1-7D351ED8"><STRONG id="ID481__ID495" class="ph b B_Bold-7204837A">Port Bounce</STRONG>—You can use this option, if the switch port exists with only one session. If the port exists with multiple sessions, then use the Reauth option. If the goal is to immediately update the access policy based on profile changes, select the<SPAN>&nbsp;</SPAN><STRONG id="ID481__ID495_d575e76a1310" class="ph b B_Bold-7204837A">Port Bounce</STRONG><SPAN>&nbsp;</SPAN>option, this will ensure that any clientless endpoints is reauthorized, and IP address is refreshed, if required.</P> </LI> <LI id="ID481__li_614E65FE01C5420B98E33B6226CE6677" class="li"> <P class="p SBu1_StepBullet1-7D351ED8"><STRONG id="ID481__ID498" class="ph b B_Bold-7204837A">Reauth</STRONG>—You can use this option to enforce reauthentication of an already authenticated endpoint when it is profiled. Select the<SPAN>&nbsp;</SPAN><STRONG id="ID481__ID498_d575e87a1310" class="ph b B_Bold-7204837A">Reauth</STRONG><SPAN>&nbsp;</SPAN>option, if no VLAN or address change is expected following the reauthorization of the current session.</P> </LI> </UL> <P>I would recommend identifying unique attributes you can utilize to create a custom profile for your android tvs.&nbsp; Make sure you set the MCF higher to ensure the tvs get properly profiled and eliminate the possibility of profile changes.&nbsp; See here for assistance:&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456" target="_blank" rel="noopener">https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456</A></P> <P>HTH!</P> Fri, 04 Dec 2020 02:19:40 GMT https://community.cisco.com/t5/network-access-control/issues-deauthenticating-android-tv-in-ise/m-p/4193166#M564158 Mike.Cifelli 2020-12-04T02:19:40Z