First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.
I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.
Devices that currently use a BYOD service.
Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.
The following menu options may be different on different Android devices but the principle is the same.
Before you re-on-board
- Forget both the Open and 802.1X SSID networks on your android device.
- Remove the network user credentials.
- On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.
It is recommended to restart the device.
To on-board with Android 10
- Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
- Connect to Open SSID and configure it to “Use device MAC”
- Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
- Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)
Hope this helps others.