Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1905
Views
0
Helpful
4
Replies

BYOD - CoA timing difference between Android and Iphone

Nate Zhang
Cisco Employee
Cisco Employee

‎08-20-2019 08:32 PM - edited ‎08-20-2019 08:35 PM

I'm testing ISE BYOD with iphone/android phone and everything works fine but see some difference below.

For testing purpose, I have 2 AuthZ policy only. (Single SSID, No Certificate provisioning)

 

Policy1: If BYOD registered device => Internet Only
Policy2: If MSCHAPv2 => BYOD portal with NSP

 

The difference is below.

1. When testing with Android phone, initial onboarding with 802.1x hit policy2 with redirection and we saw COA was issued when clicking 'Go to Google Play xxxx' in Step 3.
This ultimately made the device hit policy1 again and can connect to the Internet even without finishing NSA. Meaning at this moment, user can access google,youtube etc.

2. When testing with iphone, initial onboarding with 802.1x hit policy2 with redirection and when profile is downloaded in step 3 of 'Apple configuration profile xxxx', there is no COA issued from ISE and hence if user does not complete the profile installation by going back to 'iphone General setting', they will always be redirected since being kept in policy2.

(If I force reconnect to the SSID without installing the profile, the device will hit policy1 and connect to the Internet.)


I understand the policy will not be such open in real-world usecase but want to make sure if this is normal. Is it supposed to see COA when clicking 'Go to Google Play xxx' in usecase 1 above?

Labels:
0 Helpful
4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎08-21-2019 07:48 PM

Yes.

We usually add another condition -- Session·Device-OS Equals Android -- in the Policy rule 1.

0 Helpful

Nate Zhang
Cisco Employee
Cisco Employee
In response to hslai

‎08-22-2019 08:30 PM

Hi Hsing Tsu,

Thank you for the response. It's already in there.
The question is when clicking 'Go to Google Play xxxx' in BYOD flow, a COA is seen and we are not sure if it is expected or not.
(We expected the user to go to NSA and complete all the profile download from ISE, then COA is seen to hit policy1).
0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to Nate Zhang

‎08-23-2019 04:07 AM

Likely that COA is after the device is identified as android so you could give it another authorization rule to open up necessary DNSURL rules for the play store

Have you looked at the prescriptive guide under http://cs.co/ise-byod page?
0 Helpful

Nate Zhang
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎08-23-2019 04:28 AM

Jason,

I had the same doubts and waited for a while in the screen 'Go to Google Play xxxx'.
If Profiler (identified as android) was the reason of COA, it would be triggered regardless clicking the button 'Go to Google Play xxx' or not.
However COA was not seen as I waited for 1min in that page and as long as clicking it, COA was in.

Let me try to test with turning off the Profiling COA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents