cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1970
Views
0
Helpful
8
Replies

BYOD device stuck in pending state and device removal

Madura Malwatte
Level 4
Level 4

I have this issue and some unexpected behaviour with byod.

 

First when I go through the byod registration processes everything seems well and after I complete registration, I hit the correct authz policy (byod registered + compliant), I do the temporal agent install and posture check as well. My device gets full access as expected. However if in the mydevices portal the device is always in pending state. It never transitions to registered state, even though device has done CoA to the correct authz policy.

 

I20181011_175135.jpg

 

the question is how do I go about removing a device? the only option I have is "delete", when I do this, device is deleted, but the native dot1x settings remain on the device (which was configured by the windwos sp wizard), so when the device connects to the network again, im getting pushed into my dot1x policy (obviously because the dot1x is still enabled on the device) and then hitting the default policy which takes me to a dead end. The device can never hit the portal and try to register itself again.

 

20181011_180256.jpg20181011_175220.jpg

 

I guess trying to "delete" a byod device is not the correct way to go? Would doing "unenroll" actually remove the dot1x settings from the device, so when it tried to connect to the network will hit my mab policy and then get the web auth redirect?

 

Questions:

1. Why is the device stuck in "pending" state and never transition to "registered" even though the registration process seems to have worked correctly?

2. How can I get the device to hit the portal and go through registration again if it is deleted or removed as a byod registered device?

 

2 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Please review the guide on proper policies

https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867


Pending state is a cosmetic issue and doesn’t affect operation

View solution in original post

Pending is cosmetic issue unfortunately

Please remember this solution is not an EMM/MDM management product. It’s a way to onboard personal devices that you have no controls over. Because of this there is no way to remove through ISE the supplicant and certificate provisioned on the device. This is a manual process of removing the supplicant settings using that cert and is different depending on the device type and OS version.

If you remove an endpoint from ISE BYODRegistered state or group then you can force them through authorization.
This will also force them through if you remove the certificate from the endpoint or revoked the certificate as its not valid anymore
PEAP > TLS network
Example authorization profiles
if BYODRegistered and EAP-TLS certificate valid then permit access
if PEAP then redirect to onboarding flow

OPEN > TLS network
if BYODRegistered and EAP-TLS certificate valid then permit access
otherwise redirect to guest portal

View solution in original post

8 Replies 8

Jason Kunst
Cisco Employee
Cisco Employee
Please review the guide on proper policies

https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867


Pending state is a cosmetic issue and doesn’t affect operation

Thanks Jason, but I have been through this guide. I'm testing wired on-boarding by the way. I had waited a few hours and still the device was in pending state. (it mentions 20 minutes to transition in the guide).

 

Also there is no mention on correct removal process of registered device so it can re-register.

Pending is cosmetic issue unfortunately

Please remember this solution is not an EMM/MDM management product. It’s a way to onboard personal devices that you have no controls over. Because of this there is no way to remove through ISE the supplicant and certificate provisioned on the device. This is a manual process of removing the supplicant settings using that cert and is different depending on the device type and OS version.

If you remove an endpoint from ISE BYODRegistered state or group then you can force them through authorization.
This will also force them through if you remove the certificate from the endpoint or revoked the certificate as its not valid anymore
PEAP > TLS network
Example authorization profiles
if BYODRegistered and EAP-TLS certificate valid then permit access
if PEAP then redirect to onboarding flow

OPEN > TLS network
if BYODRegistered and EAP-TLS certificate valid then permit access
otherwise redirect to guest portal

Hi Jason,

Thanks for confirming the behaviour. So seems in pending state the unenroll
and unregister options are not available?

Great, this is what I was looking for, a way to force through
authorization. I'll give it a go!

There is no unenroll or unregister options, you can either mark a device as lost or stolen correct? Are you talking about integrating with MDM state as well?

Also is there a bug ID for the pending cosmetic issue?

Yes there are several I believe

What is BugID?  I can't find it. 

Jim 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: