cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2241
Views
15
Helpful
2
Replies

Cisco ISE v3.0 Patch 2 and Android 10- BYOD onboarding issue.. for DUAL SSID

anilkumar.cisco
Level 4
Level 4

Hello Team,

We have ,

 Dual SSID BYOD set up – “XYZ-OPEN” open SSID for onboarding, and “ABC-Employee-Register” for BYOD Registered devices

- Internal ISE CA for SCEP / BYOD Client Certificates

- Certs issued with MAC-in-SAN, and users advised to disable “Private IP address” feature for onboard & Staff-register  Wifi networks

- Wildcard for Web Portal Certificates signed by XYZ CA

- Corporate PKI Signed EAP Certificate per PSN for 802.1x network

This process works fine for Windows, Mac OS & iOS devices.

 

Android phones are failing as per below process:-

 

User associates to Open “XYZ-OPEN” SSID and is redirected to Web Auth portal

  1. User logs in, accepts AUP and is directed to BYOD portal

[NOTE – we use Profiling rules to match OS / device type and apply appropriate WLAN ACL to session base on iOS / Android etc]

  1. User registers device in BYOD Portal OK and is directed to play store to download or open Cisco NSA

                        [NOTE - Our devices have Cisco NSA already present]

  1. User opens Cisco NSA on Android phone, and presses “Start” button
  2. User is prompted for Network Password
  3. User enters password and hits enter
  4. Phone displays Wifi Settings Guidance suggesting the Onboard network now needs to be forgotten AND a message briefly appears at the bottom of the screen: “certificate required to install private key”
  5. The Wi-fi Settings Guidance button is useless and user is unable to enact the guidance [message doesn’t make sense].

                        - No Wifi profile is downloaded or configured

                        - Only one password prompt is given

- No Certificates are deployed to the device

  1. User is unable to complete Onboarding

                       

            FYI – During the process:

            - ISE Live Logs show EST Successful Authentication

            - ISE CA shows a Certificate is issued to the device

 

and I am getting the below error in Radius/Client provisioning logs..

 

  • 11215 No response has been received from Dynamic Authorization Client in ISE

 

  • 24408 User authentication against Active Directory failed since user has entered the wrong password

11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed

 

Versions:

 

            Cisco ISE v3.0 Patch 2

            Posture:                              Cisco conditions version                                             270631.0.0.0

Cisco AV/AS support chart version for windows        245.0.0.0

Cisco AV/AS support chart version for Mac OSX      164.0.0.0

Cisco supported OS version                                       56.0.0.0

 

            Profiler Update:           Latest applied feed occured on:         last weekT

                       

            Android Device [test device]

OS:                  Android 10

            Device:            Samsung Galaxy S10

            Android Cisco Network Setup Assistant version:       v3.1.4 [latest]

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

Was this working with an earlier version of ISE and appears to be broken by an upgrade to ISE 3.0, or is this is a completely new setup that is failing?

If it was working before and broke after an upgrade to 3.0, it would be best to open a TAC case to investigate.

If this is a new setup that is failing, you might compare your configuration with the info in the following links:

Some of the logs you posted may also be of interest...

"11215 No response has been received from Dynamic Authorization Client in ISE" seems to indicate that the WLC is not responding to the CoA. Confirm that you have Support for CoA (or RFC 3576, depending on the WLC code version) enabled on the SSIDs.

"11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed" seems to indicate that the Allowed Protocols list may not allow the EAP method that the supplicant is trying to use. You might want to confirm your Allowed Protocols list and CAP are configured correctly.

If all else fails (or for faster resolution), you may want to open a TAC case to investigate further.

 

piotrszafran
Level 1
Level 1

Hi,

I have very similiar issue. Have you found the solution?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: