Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3077
Views
0
Helpful
11
Replies

Adjust BYOD workflow timers for Android

Go to solution
blandrum
Cisco Employee
Cisco Employee

‎07-05-2016 12:31 PM

I am working on a customer PoV in a dual SSID onboarding scenario.  The clients connect to the "guest" unencrypted SSID, hit CWA portal, login with AD credentials, onboard the device using the internal CA.  This works perfectly on iOS, OSX, and Windows.  On Android phones it appears to timeout while the client is downloading the Network Assistant app from the Play Store.  The user is instructed to download the app, they do so (quickly), but when they launch the app it can't find the ISE server to complete the enrollment process.  The user has internet access, and from an ISE perspective it appears as if they completed the guest login.  The user must disconnect from wireless, log back in through the CWA portal, then instead of downloading the Network Setup app they just launch it and the enrollment completes.

With all of that being described, is there a way to tune the NSP to provide a longer time for the user to download the application?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to blandrum

‎07-08-2016 10:07 AM

OK, looks like there may be conflicting policies if Android devices are getting guest AuthZ profile prematurely. If you can provide full policy I maybe be able to provide better answer, but for a quick workaround you could simply allow access to ISE to the 'Guest Complete' role which should provide access to ISE node to complete the BYOD process without having to re-associate.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Oliver Laue
Level 4
Level 4

‎07-06-2016 05:33 AM

Did you use Guest device registration?

At the time a User authenticates even he is redirected to the BYOD registration the device is registered in the Endpoint Group. Maybe a new Authentication happens on the ISE which leads the device through a MAC based Guest Endpoint Policy.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎07-08-2016 09:41 AM

Brad, how long is the Android flow taking? The user has 10 minutes to complete the process which is hardcoded value on the controller. Do you have users taking longer than 10 minutes for the process?

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to howon

‎07-08-2016 09:48 AM

Less than 2 minutes. We repeated on multiple devices.

Sent from my iPhone

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to blandrum

‎07-08-2016 09:55 AM

From the description doesn't look like the timer is involved here. Can you tell me what you see in the live log for the android endpoint? I am curious to see if there was another event that triggered the endpoint to lose connection to ISE.

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to howon

‎07-08-2016 09:58 AM

The device moves into the "guest complete" role we have defined, as if a guest had entered credentials and not an employee (thereby not triggering the byod workflow). Disconnect the android, reconnect, login to the guest portal again with the credentials and at the point where it instructs you to download the setup assistant we simply launch it....all is well and the onboarding is successful.

Sent from my iPhone

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to blandrum

‎07-08-2016 10:07 AM

OK, looks like there may be conflicting policies if Android devices are getting guest AuthZ profile prematurely. If you can provide full policy I maybe be able to provide better answer, but for a quick workaround you could simply allow access to ISE to the 'Guest Complete' role which should provide access to ISE node to complete the BYOD process without having to re-associate.

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to howon

‎07-08-2016 11:03 AM

The “Guest Complete” role does allow access to ISE, in fact there’s no ACL on it during this test. However, the network setup assistant client won’t find the ISE server while the client is in this role.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

SNR: 1.770.236.7927

blandrum@cisco.com<mailto:blandrum@cisco.com>

https://acecloud.webex.com/meet/blandrum

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to blandrum

‎07-08-2016 11:15 AM

Can you export the policy and share it? If you don't want to share it in this forum, you can send it to my e-mail account howon@cisco.com. Thanks.

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to howon

‎07-08-2016 11:25 AM

It’s sitting on a 3515 at a customer’s site in a PoV lab right now.  I’ll see about getting a copy of the config.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to blandrum

‎07-10-2016 11:35 AM

The network setuo assistant won't work if there is no ACL

you need to have a redirect acl for the app to find ISE and go through provisionsing

have you looked through the byod guides?

ISE BYOD &amp; EMM / MDM

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-11-2016 02:38 PM

I understand the requirements. The problem is ISE is issuing a CoA for the client to the WLC while the client is downloading the setup assistant from the play store.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

0 Helpful
Customers Also Viewed These Support Documents