cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1538
Views
0
Helpful
11
Replies
Highlighted
Cisco Employee

Adjust BYOD workflow timers for Android

I am working on a customer PoV in a dual SSID onboarding scenario.  The clients connect to the "guest" unencrypted SSID, hit CWA portal, login with AD credentials, onboard the device using the internal CA.  This works perfectly on iOS, OSX, and Windows.  On Android phones it appears to timeout while the client is downloading the Network Assistant app from the Play Store.  The user is instructed to download the app, they do so (quickly), but when they launch the app it can't find the ISE server to complete the enrollment process.  The user has internet access, and from an ISE perspective it appears as if they completed the guest login.  The user must disconnect from wireless, log back in through the CWA portal, then instead of downloading the Network Setup app they just launch it and the enrollment completes.

With all of that being described, is there a way to tune the NSP to provide a longer time for the user to download the application?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Adjust BYOD workflow timers for Android

OK, looks like there may be conflicting policies if Android devices are getting guest AuthZ profile prematurely. If you can provide full policy I maybe be able to provide better answer, but for a quick workaround you could simply allow access to ISE to the 'Guest Complete' role which should provide access to ISE node to complete the BYOD process without having to re-associate.

11 REPLIES 11
Enthusiast

Re: Adjust BYOD workflow timers for Android

Did you use Guest device registration?

At the time a User authenticates even he is redirected to the BYOD registration the device is registered in the Endpoint Group. Maybe a new Authentication happens on the ISE which leads the device through a MAC based Guest Endpoint Policy.

Cisco Employee

Re: Adjust BYOD workflow timers for Android

Brad, how long is the Android flow taking? The user has 10 minutes to complete the process which is hardcoded value on the controller. Do you have users taking longer than 10 minutes for the process?

Cisco Employee

Re: Adjust BYOD workflow timers for Android

Less than 2 minutes. We repeated on multiple devices.

Sent from my iPhone

Cisco Employee

Re: Adjust BYOD workflow timers for Android

From the description doesn't look like the timer is involved here. Can you tell me what you see in the live log for the android endpoint? I am curious to see if there was another event that triggered the endpoint to lose connection to ISE.

Cisco Employee

Re: Adjust BYOD workflow timers for Android

The device moves into the "guest complete" role we have defined, as if a guest had entered credentials and not an employee (thereby not triggering the byod workflow). Disconnect the android, reconnect, login to the guest portal again with the credentials and at the point where it instructs you to download the setup assistant we simply launch it....all is well and the onboarding is successful.

Sent from my iPhone

Cisco Employee

Re: Adjust BYOD workflow timers for Android

OK, looks like there may be conflicting policies if Android devices are getting guest AuthZ profile prematurely. If you can provide full policy I maybe be able to provide better answer, but for a quick workaround you could simply allow access to ISE to the 'Guest Complete' role which should provide access to ISE node to complete the BYOD process without having to re-associate.

Cisco Employee

Re: Adjust BYOD workflow timers for Android

The “Guest Complete” role does allow access to ISE, in fact there’s no ACL on it during this test. However, the network setup assistant client won’t find the ISE server while the client is in this role.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

SNR: 1.770.236.7927

blandrum@cisco.com<mailto:blandrum@cisco.com>

https://acecloud.webex.com/meet/blandrum

Cisco Employee

Re: Adjust BYOD workflow timers for Android

Can you export the policy and share it? If you don't want to share it in this forum, you can send it to my e-mail account howon@cisco.com. Thanks.

Cisco Employee

Re: Adjust BYOD workflow timers for Android

It’s sitting on a 3515 at a customer’s site in a PoV lab right now.  I’ll see about getting a copy of the config.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

Cisco Employee

Re: Adjust BYOD workflow timers for Android

The network setuo assistant won't work if there is no ACL

you need to have a redirect acl for the app to find ISE and go through provisionsing

have you looked through the byod guides?

ISE BYOD &amp; EMM / MDM

Cisco Employee

Re: Adjust BYOD workflow timers for Android

I understand the requirements. The problem is ISE is issuing a CoA for the client to the WLC while the client is downloading the setup assistant from the play store.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems