Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

593
Views
5
Helpful
3
Replies
Highlighted
Scott Gillies
Beginner
Beginner
‎01-08-2020 01:29 AM
‎01-08-2020 01:29 AM

BYOD broken with ANDROID 10 - Wireless Randomised MAC

I have just upgraded my OnePlus 6 to Android 10. It has broken my EAPTLS BYOD service because it now automatically uses Randomised MAC when connecting to wireless networks.

My ISE authorisation policy includes the condition "MAC_in_SAN" which my device now fails on. Remove the condition and it works.

Now you can actually configure it to "Use device MAC" but the default is "Use randomised MAC (default)" BUT To add insult to injury the upgrade has also changed my device Wireless MAC address which also breaks the "MAC_in_SAN" policy condition.

 

Do Cisco have any guidance on this?

Everyone's tags (4)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Scott Gillies
Beginner
Beginner
‎01-10-2020 01:53 AM
‎01-10-2020 01:53 AM

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.

 

I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.

 

Devices that currently use a BYOD service.

Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.

The following menu options may be different on different Android devices but the principle is the same.

Before you re-on-board

  1. Forget both the Open and 802.1X SSID networks on your android device.
  2. Remove the network user credentials.
  3. On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.

It is recommended to restart the device.

To on-board with Android 10

  1. Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
  2. Connect to Open SSID and configure it to “Use device MAC”
  3. Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
  4. Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)

Hope this helps others.

View solution in original post

0 Helpful
Reply
3 REPLIES 3
Highlighted
howon
Cisco Employee
Cisco Employee
‎01-08-2020 08:35 AM
‎01-08-2020 08:35 AM

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

That is correct, with Android 10 BYOD registered and MAC-in-SAN condition will not work. What you have is what we recommend. https://community.cisco.com/t5/security-documents/ise-byod-endpoint-notes/ta-p/3857246#toc-hId--1243681234

 

Reply
Highlighted
Scott Gillies
Beginner
Beginner
‎01-10-2020 01:53 AM
‎01-10-2020 01:53 AM

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.

 

I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.

 

Devices that currently use a BYOD service.

Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.

The following menu options may be different on different Android devices but the principle is the same.

Before you re-on-board

  1. Forget both the Open and 802.1X SSID networks on your android device.
  2. Remove the network user credentials.
  3. On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.

It is recommended to restart the device.

To on-board with Android 10

  1. Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
  2. Connect to Open SSID and configure it to “Use device MAC”
  3. Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
  4. Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)

Hope this helps others.

View solution in original post

0 Helpful
Reply
Highlighted
Dustin Anderson
Contributor
Contributor
‎01-10-2020 12:20 PM
‎01-10-2020 12:20 PM

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

The randomized mac should be a setting in the wireless/advanced. Can't you just turn it off?

0 Helpful
Reply
Latest Contents
How to Integrate Cisco Identity Services Engine with IBM Maa...
Created by pavagupt on 05-29-2020 12:45 AM
0
10
0
10
IntroductionComponentsIBM MaaS360 ConfigurationISE ConfigurationOnboard and validating access from Windows ClientEnrolling Windows 10 against IBM MaaS 360   Introduction Cisco Identity Services Engine (ISE) gives you intelligent Integrated protectio... view more
AMP4E - Cisco Threat Response and ESA Integration
Created by bremarqu on 05-27-2020 09:16 AM
0
0
0
0
Hello, This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.   This is live on the portal:https://video.cisco.com/video/6159336218001   And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg   ... view more
Migrate from C170 to C190
Created by fhk_license on 05-26-2020 02:24 AM
3
0
3
0
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
DGTL-BRKSEC-1011 - A Challenger Appears: Defending Mailboxes...
Created by chclasen on 05-20-2020 09:43 AM
0
0
0
0
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense. Join Techn... view more
ASA Image won't stay
Created by Senbonzakura on 05-19-2020 12:19 PM
3
0
3
0
I've fixed this before but now I'm running into a different type of an issue. My firewall isn't booting to the image so I have to keep reloading the image onto the ASA. Any help would be appreciated. Also my Config-Register is set to 0x1. As of right now,... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels