cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3531
Views
0
Helpful
11
Replies

Adjust BYOD workflow timers for Android

blandrum
Cisco Employee
Cisco Employee

I am working on a customer PoV in a dual SSID onboarding scenario.  The clients connect to the "guest" unencrypted SSID, hit CWA portal, login with AD credentials, onboard the device using the internal CA.  This works perfectly on iOS, OSX, and Windows.  On Android phones it appears to timeout while the client is downloading the Network Assistant app from the Play Store.  The user is instructed to download the app, they do so (quickly), but when they launch the app it can't find the ISE server to complete the enrollment process.  The user has internet access, and from an ISE perspective it appears as if they completed the guest login.  The user must disconnect from wireless, log back in through the CWA portal, then instead of downloading the Network Setup app they just launch it and the enrollment completes.

With all of that being described, is there a way to tune the NSP to provide a longer time for the user to download the application?

1 Accepted Solution

Accepted Solutions

OK, looks like there may be conflicting policies if Android devices are getting guest AuthZ profile prematurely. If you can provide full policy I maybe be able to provide better answer, but for a quick workaround you could simply allow access to ISE to the 'Guest Complete' role which should provide access to ISE node to complete the BYOD process without having to re-associate.

View solution in original post

11 Replies 11

Oliver Laue
Level 4
Level 4

Did you use Guest device registration?

At the time a User authenticates even he is redirected to the BYOD registration the device is registered in the Endpoint Group. Maybe a new Authentication happens on the ISE which leads the device through a MAC based Guest Endpoint Policy.

howon
Cisco Employee
Cisco Employee

Brad, how long is the Android flow taking? The user has 10 minutes to complete the process which is hardcoded value on the controller. Do you have users taking longer than 10 minutes for the process?

Less than 2 minutes. We repeated on multiple devices.

Sent from my iPhone

From the description doesn't look like the timer is involved here. Can you tell me what you see in the live log for the android endpoint? I am curious to see if there was another event that triggered the endpoint to lose connection to ISE.

The device moves into the "guest complete" role we have defined, as if a guest had entered credentials and not an employee (thereby not triggering the byod workflow). Disconnect the android, reconnect, login to the guest portal again with the credentials and at the point where it instructs you to download the setup assistant we simply launch it....all is well and the onboarding is successful.

Sent from my iPhone

OK, looks like there may be conflicting policies if Android devices are getting guest AuthZ profile prematurely. If you can provide full policy I maybe be able to provide better answer, but for a quick workaround you could simply allow access to ISE to the 'Guest Complete' role which should provide access to ISE node to complete the BYOD process without having to re-associate.

The “Guest Complete” role does allow access to ISE, in fact there’s no ACL on it during this test. However, the network setup assistant client won’t find the ISE server while the client is in this role.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

SNR: 1.770.236.7927

blandrum@cisco.com<mailto:blandrum@cisco.com>

https://acecloud.webex.com/meet/blandrum

Can you export the policy and share it? If you don't want to share it in this forum, you can send it to my e-mail account howon@cisco.com. Thanks.

It’s sitting on a 3515 at a customer’s site in a PoV lab right now.  I’ll see about getting a copy of the config.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

The network setuo assistant won't work if there is no ACL

you need to have a redirect acl for the app to find ISE and go through provisionsing

have you looked through the byod guides?

ISE BYOD &amp; EMM / MDM

I understand the requirements. The problem is ISE is issuing a CoA for the client to the WLC while the client is downloading the setup assistant from the play store.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems