Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2577
Views
0
Helpful
8
Replies

BYOD device stuck in pending state and device removal

Go to solution
Madura Malwatte
Level 4
Level 4

‎10-11-2018 05:59 AM

I have this issue and some unexpected behaviour with byod.

 

First when I go through the byod registration processes everything seems well and after I complete registration, I hit the correct authz policy (byod registered + compliant), I do the temporal agent install and posture check as well. My device gets full access as expected. However if in the mydevices portal the device is always in pending state. It never transitions to registered state, even though device has done CoA to the correct authz policy.

 

I20181011_175135.jpg

 

the question is how do I go about removing a device? the only option I have is "delete", when I do this, device is deleted, but the native dot1x settings remain on the device (which was configured by the windwos sp wizard), so when the device connects to the network again, im getting pushed into my dot1x policy (obviously because the dot1x is still enabled on the device) and then hitting the default policy which takes me to a dead end. The device can never hit the portal and try to register itself again.

 

20181011_180256.jpg20181011_175220.jpg

 

I guess trying to "delete" a byod device is not the correct way to go? Would doing "unenroll" actually remove the dot1x settings from the device, so when it tried to connect to the network will hit my mab policy and then get the web auth redirect?

 

Questions:

1. Why is the device stuck in "pending" state and never transition to "registered" even though the registration process seems to have worked correctly?

2. How can I get the device to hit the portal and go through registration again if it is deleted or removed as a byod registered device?

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-11-2018 06:22 AM

Please review the guide on proper policies

https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867


Pending state is a cosmetic issue and doesn’t affect operation

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎10-11-2018 07:57 AM

Pending is cosmetic issue unfortunately

Please remember this solution is not an EMM/MDM management product. It’s a way to onboard personal devices that you have no controls over. Because of this there is no way to remove through ISE the supplicant and certificate provisioned on the device. This is a manual process of removing the supplicant settings using that cert and is different depending on the device type and OS version.

If you remove an endpoint from ISE BYODRegistered state or group then you can force them through authorization.
This will also force them through if you remove the certificate from the endpoint or revoked the certificate as its not valid anymore
PEAP > TLS network
Example authorization profiles
if BYODRegistered and EAP-TLS certificate valid then permit access
if PEAP then redirect to onboarding flow

OPEN > TLS network
if BYODRegistered and EAP-TLS certificate valid then permit access
otherwise redirect to guest portal

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-11-2018 06:22 AM

Please review the guide on proper policies

https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867


Pending state is a cosmetic issue and doesn’t affect operation
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎10-11-2018 07:07 AM

Thanks Jason, but I have been through this guide. I'm testing wired on-boarding by the way. I had waited a few hours and still the device was in pending state. (it mentions 20 minutes to transition in the guide).

 

Also there is no mention on correct removal process of registered device so it can re-register.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎10-11-2018 07:57 AM

Pending is cosmetic issue unfortunately

Please remember this solution is not an EMM/MDM management product. It’s a way to onboard personal devices that you have no controls over. Because of this there is no way to remove through ISE the supplicant and certificate provisioned on the device. This is a manual process of removing the supplicant settings using that cert and is different depending on the device type and OS version.

If you remove an endpoint from ISE BYODRegistered state or group then you can force them through authorization.
This will also force them through if you remove the certificate from the endpoint or revoked the certificate as its not valid anymore
PEAP > TLS network
Example authorization profiles
if BYODRegistered and EAP-TLS certificate valid then permit access
if PEAP then redirect to onboarding flow

OPEN > TLS network
if BYODRegistered and EAP-TLS certificate valid then permit access
otherwise redirect to guest portal
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎10-11-2018 08:48 AM

Hi Jason,

Thanks for confirming the behaviour. So seems in pending state the unenroll
and unregister options are not available?

Great, this is what I was looking for, a way to force through
authorization. I'll give it a go!
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎10-11-2018 08:51 AM

There is no unenroll or unregister options, you can either mark a device as lost or stolen correct? Are you talking about integrating with MDM state as well?
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎10-11-2018 08:52 AM

Also is there a bug ID for the pending cosmetic issue?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎10-11-2018 08:54 AM

Yes there are several I believe
0 Helpful

Go to solution
jdurkin
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-11-2019 12:49 PM

What is BugID?  I can't find it. 

Jim 

0 Helpful
Customers Also Viewed These Support Documents