cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8411
Views
0
Helpful
35
Replies

Google Pixel2 / Android 9.0 / Fails dual-SSID BYOD

jasonm002
Level 1
Level 1

Is anyone else able to try a Google Pixel2 phone running Android 9.0 with dual-SSID BYOD? Have a TAC case open but would be interesting to see if anyone else is having the same issue. The error is that the phone is unable to download the profile from ISE. Any other Android phone I try is fine, such as a LG Nexus 5X running 8.0, or a Samsung Galaxy S6 on 7.0, or even an old LG tablet running 4.4. The process also worked on a Pixel 2 running 8.1 in the past, it seems 9.0 broke it.

 

In the SPW.log from the Pixel 2 phone running 9.0 we see the following messages of interest, but I did not paste the entire log:

 

2018.08.17 10:02:53 INFO:Discovered ise server = <server FQDN>
2018.08.17 10:02:53 INFO:Discovered client mac = 02-00-00-00-00-00
2018.08.17 10:02:53 INFO:askPermissionForDownload - request permission from user to download the profile from the discovered ISE host

...

<td>
ISE is not able to apply an access policy to your log-in session at this time. Please close this browser, wait approximately one minute, and try to connect again. If you are still not able to log in, please contact your network administrator.
</td>

 

35 Replies 35

I am not sure what exactly fixed in your deployment.

Generally to support a new client OS, we need the following:

  • Cisco supported OS version up-to-date -- done via ISE posture feed update
  • Network Setup Assistant latest for non-Apple-iOS devices -- Android NSA, available via Google Play store, last updated in 2017 so no change yet for Android 9.
  • Web browser support -- newer Chrome browser releases may not connect to ISE portal pages unless the hostname/FQDN matched in the certificate SAN field. ISE 2.3 needs this for the system certificate(s) used by the ISE guest/BYOD portals; earlier ISE releases might need the same by the ISE admin portal.

Alright so based on your input it is probably the posture feed update that did it then. 

 

So perhaps the other users here just need to make sure the posture feed is auto updating from the appropriate URL for your ISE version, e.g. https://community.cisco.com/t5/identity-services-engine-ise/ise-urls-for-external-service-updates/td-p/3526841

Has this been fixed in ISE 2.6?

We are hitting the same problem with Android 9, fully updated ISE 2.2, newest version 2.2.0.55 of Cisco app. I find it hard to believe this is not fixed yet, being a known problem since August 2018, can someone please suggest what to do ?
Thank you very much.

Make sure the client provisioning and posture feeds are updated with the correct URLs according to ISE 2.2 docs and optionally enable auto update.

 

This was fixed back in October I think for ISE 2.4; I'm not sure about 2.2. ISE 2.4 is now the recommended release. It's possible there is also some other configuration issue with the deployment so you should probably try the above and then make a TAC case if that doesn't work.

 

Is there any place Cisco has communicated that it is fixed in 2.4 ?
I am asking because it seems to be an app related problem, not ISE problem.
The problem is that the app is not able to read MAC address on Android 9 phone as far as I understand it.
This is what the bug description says:

"Cisco Network Setup Assistant has been updated to Version 2.2.0.55 at Google Play on Mar-25,2019 to address this issue. Also, ensure Cisco ISE has the latest updates of Cisco supported OS version, via ISE posture feed."

It does not say anything about ISE 2.4 being a solution, as ISE 2.2. is still supported.
Anyway, we have opened a TAC case, so let's see what they have to say.
Thank you for your suggestion anyway.


@mgrecner wrote:
Also, ensure Cisco ISE has the latest updates of Cisco supported OS version, via ISE posture feed."

This is probably the critical part for you I would imagine, but if ensuring posture feed is up to date and using correct URL doesn't solve it then TAC should be able to figure it out.

 

I can confirm that this feature is currently working for me in ISE 2.4 on Android 9 on several phones including the Pixel2 and Pixel3, but as to whether the behavior would be different in 2.2 or 2.4 -- I can't say.

 

Thank you very much, knowing that Android 9 BYOD works for you with ISE 2.4 is very important information.
We have done all the posture feed updates to ISE 2.2, I am not sure about the URL issue, we will doublecheck.

Best regards
Martin

We were just told by TAC that 9 is now supported by ISE 2.4 but not 2.2 and nothing further can be done. I guess that means we will just have to bypass any BYOD attempts until we can schedule the upgrade.

If you're looking for the next long term support release, check out:

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html

 

 

BYOD on Android 9.0 tested by our teams to work with ISE 2.2+. Our doc team will revise the compatibility guide. If possible, please provide the case number.

This is our SR number: 686678438

please escalate with TAC as we have confirmed support.

HI,

 

CSCvm10640 . Same case as per description here and the case is still open and TAC still says that BU is working on and does not have a ETA. The work around provided is downgrade to 8 . We cant have customer especially the BYODs to downgrade to 8 . 

Please help with the required documentation and fix or a possible workaround. @hslai @Jason Kunst 

ISE :Version 2.2.0.470(Patch 5)

NSA:Version 2.2.0.55 at Google Play on Mar-25,2019

 


@hslai wrote:

BYOD on Android 9.0 tested by our teams to work with ISE 2.2+. Our doc team will revise the compatibility guide. If possible, please provide the case number.