cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3772
Views
2
Helpful
4
Replies
Beginner

Android Devices unable to download BYOD profile

Hi ISE experts

I'm currently facing an issue with the BYOD provisioning for Android devices.

Background: The supplicant policies have already been configured under the authorization policy in ISE. So far, the other devices are provisioning and onboarding without any issue. The Android devices are able to download the Cisco Network Setup Assistant however when trying to download the supplicant profile, an error message stating "Unable to detect Server. Please ensure your network access device is configured to redirect enroll.cisco.com to ISE" On the NSP_GOOGLE_ACL, i have already permitted 72.163.0.0 but still the issue persists.


WLC - 8.0.133

ISE - 2.2 Patch 2


Based on the Android workflow which was published in Using Certificates for Differentiate Access with Cisco Identity Services Engine, the flow stopped as shown in the image below.

Untitled-2.jpg

When checking the spw.log on the android device, it shows that the gateway is unreachable.

2017.08.29 10:27:16 ERROR:java.net.SocketTimeoutException: failed to connect to /10.8.12.1 (port 80) after 2000ms

2017.08.29 10:27:16 ERROR:failed to connect to /10.8.12.1 (port 80) after 2000ms

2017.08.29 10:27:19 ERROR:DiscoverAsynchTask

2017.08.29 10:27:19 ERROR:java.net.SocketTimeoutException: failed to connect to enroll.cisco.com/72.163.1.80 (port 80) after 2000ms

2017.08.29 10:27:19 ERROR:failed to connect to enroll.cisco.com/72.163.1.80 (port 80) after 2000ms

2017.08.29 10:27:19 ERROR:Unable to discover ISE Server

2017.08.29 10:27:19 INFO:Internal system error.

I would like to know if we are actually suppose to use the NSP-ACL-GOOGLE to download the supplicant profile and certificate.

Somehow if the device is on the CWA Redirection ACL , it's able to download the supplicant profile without any issues.

Has anyone experienced this issue before?

Thanks

Regards

Ryan

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Android Devices unable to download BYOD profile

Ryan, I would suggest removing the ACE permitting traffic to enroll.cisco.com or 72.163.0.0/16 from the NSP_GOOGLE_ACL. I know it sounds counter intuitive, but when it reads 'Please ensure your network access device is configured to redirect enroll.cisco.com to ISE', it is asking you to configure the ACL so the traffic to enroll.cisco.com gets denied by the redirect ACL and gets redirected to the ISE per redirect process on the network device. By removing the line, you are letting the implicit deny take care of it. As you can see that is why the CWA ACL works as it is denying the traffic to the enroll.cisco.com. This is how client application like NSP or AnyConnect posture module finds the correct ISE node.

4 REPLIES 4
Cisco Employee

Re: Android Devices unable to download BYOD profile

Ryan, I would suggest removing the ACE permitting traffic to enroll.cisco.com or 72.163.0.0/16 from the NSP_GOOGLE_ACL. I know it sounds counter intuitive, but when it reads 'Please ensure your network access device is configured to redirect enroll.cisco.com to ISE', it is asking you to configure the ACL so the traffic to enroll.cisco.com gets denied by the redirect ACL and gets redirected to the ISE per redirect process on the network device. By removing the line, you are letting the implicit deny take care of it. As you can see that is why the CWA ACL works as it is denying the traffic to the enroll.cisco.com. This is how client application like NSP or AnyConnect posture module finds the correct ISE node.

Beginner

Re: Android Devices unable to download BYOD profile

Hi Howon

Thanks for your response. I've tried the following and I was able to obtain the supplicant profile from ISE after that.

Best regards

Ryan

Enthusiast

Re: Android Devices unable to download BYOD profile

Hi;

I get the same "Unable to detect Server. Please ensure your network access device is configured to redirect enroll.cisco.com to ISE" message. But my ACL on WLC has already denied everything, including traffic to "enroll.cisco.com".

ise6.png

I Also permitted every traffic between that network destined everywhere. So why do I get this message on my Android device?

VIP Advocate

Re: Android Devices unable to download BYOD profile

Hello @ciscoworlds - did you ever solve the issue with the Android BYOD onboarding not working?