This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm testing ISE BYOD with iphone/android phone and everything works fine but see some difference below.
For testing purpose, I have 2 AuthZ policy only. (Single SSID, No Certificate provisioning)
Policy1: If BYOD registered device => Internet Only
Policy2: If MSCHAPv2 => BYOD portal with NSP
The difference is below.
1. When testing with Android phone, initial onboarding with 802.1x hit policy2 with redirection and we saw COA was issued when clicking 'Go to Google Play xxxx' in Step 3.
This ultimately made the device hit policy1 again and can connect to the Internet even without finishing NSA. Meaning at this moment, user can access google,youtube etc.
2. When testing with iphone, initial onboarding with 802.1x hit policy2 with redirection and when profile is downloaded in step 3 of 'Apple configuration profile xxxx', there is no COA issued from ISE and hence if user does not complete the profile installation by going back to 'iphone General setting', they will always be redirected since being kept in policy2.
(If I force reconnect to the SSID without installing the profile, the device will hit policy1 and connect to the Internet.)
I understand the policy will not be such open in real-world usecase but want to make sure if this is normal. Is it supposed to see COA when clicking 'Go to Google Play xxx' in usecase 1 above?
I had the same doubts and waited for a while in the screen 'Go to Google Play xxxx'.
If Profiler (identified as android) was the reason of COA, it would be triggered regardless clicking the button 'Go to Google Play xxx' or not.
However COA was not seen as I waited for 1min in that page and as long as clicking it, COA was in.
Let me try to test with turning off the Profiling COA.