android device can not auth by ISE byod single ssid with wism code 7.0.220

Wei Yang · ‎06-27-2013

HI

I want Implementing Byod solution to

wism(1) with code 7.0.220 + ISE 1.1.4

I setup with http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf

because 7.0.220 dont support Open + MAC Filtering + radius NAC for dual ssid

therefore it's only support single ssid solution...

It's work with iphone and ipad and win7

but android fail

android alway show cant not detec ISE server

android spw.log just log can not detect ISE only

with wireshark see android send few packet to it's default(android's) gateway port:80 and enroll.cisco.com :80

seems wism did not redirect the packet to ISE....??

does any one sucess on single ssid on wism(7.0.220) with android ??

Tarik Admani · ‎06-28-2013

Hi,

You need to allow tcp 8905 in your acl.

Sent from Cisco Technical Support iPad App

Wei Yang · ‎06-30-2013

HI

It's my ACL add permit 8905

1.permit tcp 8905 any any

2.permit source ip = (ISE IP) any any

3 permit dest ip=(ISE IP) any any

3.permit dns any any

4.permit dhcp any any

6.permit googleplay any any

7. deny any any

still not working on android!!

jharris.ms · ‎07-21-2013

did you get this to work? only way i could was to open port 80 to google and allow some TW IP which users are redirected to when they download the app

Tarik Admani · ‎07-21-2013

Hi,

You are better off opening all access to google. This is what is recommended by cisco as well in some of the design guides.

Thanks,

Tarik Admani
*Please rate helpful posts*

jharris.ms · ‎07-22-2013

but even opening all ports to google, which i dont like i wasnt able to get this to work. so i did a packet capture and found googleplay didnt have the wifi supplicant and users were getting redirect to 206.169.145.209. so i had to open access to that. after playing with my ACL i found i only had to open http and https to google, which still isnt a solution since most people use google as their default search engine and will only be redirected to the device registration page when they try to browse to something outside of google. you said that cisco has guides that say you need to open all access to google, do you have a link? the guides i found didnt mention that but mentioned other ports that i found are not required.

Tarik Admani · ‎07-22-2013

Hi,

I will try searching for the guides and the ports that are in the guide are not accurate much like you referenced. This was brought up while I was at a partner event at Cisco. If this is a problem with your customer as it is with mine, I create a playbook for onboarding android users and explicity explain that users must reach out to yahoo.com to trigger the redirection scenario.

Much like you found with your packet capture the ports highlighted in the current guides are not accurate to allow sufficient access to the google playstore and most communication is done over 80 and 443.

Thanks,

Tarik Admani
*Please rate helpful posts*

Wei Yang · ‎07-25-2013

Hi

It's work download app only..

I allow any any to google ip (74.125.x.x) ( which ping play.google.com from my isp dns)

I can download app and install it

but most important is fail

EXEC cisco network assistant

it's always show can not detect ISE server..

~~

WLC 4400 or WISM not support single ssid for android