cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

191
Views
0
Helpful
4
Replies
Cisco Employee

BYOD - CoA timing difference between Android and Iphone

I'm testing ISE BYOD with iphone/android phone and everything works fine but see some difference below.

For testing purpose, I have 2 AuthZ policy only. (Single SSID, No Certificate provisioning)

 

Policy1: If BYOD registered device => Internet Only
Policy2: If MSCHAPv2 => BYOD portal with NSP

 

The difference is below.

1. When testing with Android phone, initial onboarding with 802.1x hit policy2 with redirection and we saw COA was issued when clicking 'Go to Google Play xxxx' in Step 3.
This ultimately made the device hit policy1 again and can connect to the Internet even without finishing NSA. Meaning at this moment, user can access google,youtube etc.

2. When testing with iphone, initial onboarding with 802.1x hit policy2 with redirection and when profile is downloaded in step 3 of 'Apple configuration profile xxxx', there is no COA issued from ISE and hence if user does not complete the profile installation by going back to 'iphone General setting', they will always be redirected since being kept in policy2.

(If I force reconnect to the SSID without installing the profile, the device will hit policy1 and connect to the Internet.)


I understand the policy will not be such open in real-world usecase but want to make sure if this is normal. Is it supposed to see COA when clicking 'Go to Google Play xxx' in usecase 1 above?

4 REPLIES 4
Cisco Employee

Re: BYOD - CoA timing difference between Android and Iphone

Yes.

We usually add another condition -- Session·Device-OS Equals Android -- in the Policy rule 1.

Highlighted
Cisco Employee

Re: BYOD - CoA timing difference between Android and Iphone

Hi Hsing Tsu,

Thank you for the response. It's already in there.
The question is when clicking 'Go to Google Play xxxx' in BYOD flow, a COA is seen and we are not sure if it is expected or not.
(We expected the user to go to NSA and complete all the profile download from ISE, then COA is seen to hit policy1).
Cisco Employee

Re: BYOD - CoA timing difference between Android and Iphone

Likely that COA is after the device is identified as android so you could give it another authorization rule to open up necessary DNSURL rules for the play store

Have you looked at the prescriptive guide under http://cs.co/ise-byod page?
Cisco Employee

Re: BYOD - CoA timing difference between Android and Iphone

Jason,

I had the same doubts and waited for a while in the screen 'Go to Google Play xxxx'.
If Profiler (identified as android) was the reason of COA, it would be triggered regardless clicking the button 'Go to Google Play xxx' or not.
However COA was not seen as I waited for 1min in that page and as long as clicking it, COA was in.

Let me try to test with turning off the Profiling COA.