Solved: Google Pixel2 / Android 9.0 / Fails dual-SSID BYOD

jasonm002 · ‎08-27-2018

Is anyone else able to try a Google Pixel2 phone running Android 9.0 with dual-SSID BYOD? Have a TAC case open but would be interesting to see if anyone else is having the same issue. The error is that the phone is unable to download the profile from ISE. Any other Android phone I try is fine, such as a LG Nexus 5X running 8.0, or a Samsung Galaxy S6 on 7.0, or even an old LG tablet running 4.4. The process also worked on a Pixel 2 running 8.1 in the past, it seems 9.0 broke it.

In the SPW.log from the Pixel 2 phone running 9.0 we see the following messages of interest, but I did not paste the entire log:

2018.08.17 10:02:53 INFO:Discovered ise server = <server FQDN>
2018.08.17 10:02:53 INFO:Discovered client mac = 02-00-00-00-00-00
2018.08.17 10:02:53 INFO:askPermissionForDownload - request permission from user to download the profile from the discovered ISE host

...

<td>
ISE is not able to apply an access policy to your log-in session at this time. Please close this browser, wait approximately one minute, and try to connect again. If you are still not able to log in, please contact your network administrator.
</td>

Jason Kunst · ‎09-10-2018

please make sure you log a case through the TAC as well

View solution in original post

Jason Kunst · ‎11-08-2018

Recommend a tac case. For anyone that has one please share the defect Id

I will check internally

View solution in original post

Jason Kunst · ‎11-09-2018

Here is the bug “CSCvm10640”. Please work through TAC on this

Right now it doesn’t look like these devices are honoring the certificate SAN field and likely an android issue being investigated

I would also recommend contacting the os provider

View solution in original post

hslai · ‎05-13-2019

BYOD on Android 9.0 tested by our teams to work with ISE 2.2+. Our doc team will revise the compatibility guide. If possible, please provide the case number.

View solution in original post

hslai · ‎08-29-2018

ISE has not yet supporting Android 9.0 (Pie). It's being tracked by CSCvm10640 internally.

jasonm002 · ‎08-30-2018

Any indication of when it will be supported? It seems like an app/API issue. We're an educational institution that just deployed BYOD as a new service and now we're going to launch into the beginning of the semester with a popular phone not supported, which will damage public perception of the new service, and by extension their opinion of Cisco. I don't think anyone wants any of those things, so hoping for a quick solution to this.

hslai · ‎08-30-2018

I am checking with our dev team.

suporte.it@telemont · ‎09-10-2018

We have a customer with the same problem as above, on a Dual SSID provisioning. He is running android 9.0 Custom ROM (LineageOS) on a Xiaomi Mi 5 device.

Jason Kunst · ‎09-10-2018

please make sure you log a case through the TAC as well

jasonm002 · ‎09-11-2018

Can we get an update from development on this one? It seems it's just an issue with Android 9 breaking the app. The client's MAC is recorded by the app as "02-00-00-00-00-00" in my case in the SPW.log. Seems like it's just an API change in 9.0, might just require a branch to detect 9.0 and use a different function to get the MAC -- not sure, but imagine it's probably not a difficult fix for Cisco.

maychida · ‎11-07-2018

Hi HSLAI,

Any update from Dev on which ISE version would support Android 9 and an ETA on the same? I see the Feed service update did not help either for my customer?

-
Regards,
Mayil Raj

Jason Kunst · ‎11-08-2018

Recommend a tac case. For anyone that has one please share the defect Id

I will check internally

Jason Kunst · ‎11-09-2018

Here is the bug “CSCvm10640”. Please work through TAC on this

Right now it doesn’t look like these devices are honoring the certificate SAN field and likely an android issue being investigated

I would also recommend contacting the os provider

Louis Gonzales · ‎01-14-2019

I've already logged a TAC case but wanted to see if there has been any update on this. More people in our organization are getting Google Pixel 3 phones which come with Android 9 out of the box and are not able to connect to our corporate BYOD network. This is becoming a bigger problem as we are moving away from using PSK for our SSIDs.

hslai · ‎01-14-2019

Our developer is working with Android dev team to fix this. No ETA yet.

jasonm002 · ‎01-14-2019

Does the issue persist if you have client provisioning feed enabled in ISE and set to

Enable provisioning: Enable

Enable automatic download: enable

Update feed URL: https://www.cisco.com/web/secure/spa/provisioning-update.xml

Native supplicant provisioning policy unavailable: allow network access

TAC basically told me to make sure I had provisioning enabled (which I did, set to those settings above) and at some point our Pixel2 users started working with BYOD and EAP-TLS on ISE 2.4 p2+struts fix using the ISE internal CA. Not sure what fixed it, not sure if it's still broken on Pixel3 phones because I haven't had a pixel3 user come forward with the issue.

hslai · ‎01-14-2019

The dual-SSID BYOD with Android 9 should be working at this point, but you might get some benign error "Unable to connect. Please manually connect to SSID: ..."

The main issue we are working with Android dev team on CSCvm10640 is to be able to either forget or modify an existing SSID in the single-SSID BYOD flow.

jasonm002 · ‎01-14-2019

Yes that's a good point: we're using dual-ssid BYOD, forgot to mention that.

Can you comment on what fixed it in the dual-ssid flow? Was it the provisioning feed update? I closed my TAC case because it was fixed but unfortunately they didn't seem to know what fixed it exactly; I just assumed it was the provisioning feed update as the only patch I applied to ISE 2.4p2 by that point was the struts fix.