Is anyone else able to try a Google Pixel2 phone running Android 9.0 with dual-SSID BYOD? Have a TAC case open but would be interesting to see if anyone else is having the same issue. The error is that the phone is unable to download the profile from ISE. Any other Android phone I try is fine, such as a LG Nexus 5X running 8.0, or a Samsung Galaxy S6 on 7.0, or even an old LG tablet running 4.4. The process also worked on a Pixel 2 running 8.1 in the past, it seems 9.0 broke it.
In the SPW.log from the Pixel 2 phone running 9.0 we see the following messages of interest, but I did not paste the entire log:
2018.08.17 10:02:53 INFO:Discovered ise server = <server FQDN>
2018.08.17 10:02:53 INFO:Discovered client mac = 02-00-00-00-00-00
2018.08.17 10:02:53 INFO:askPermissionForDownload - request permission from user to download the profile from the discovered ISE host
ISE is not able to apply an access policy to your log-in session at this time. Please close this browser, wait approximately one minute, and try to connect again. If you are still not able to log in, please contact your network administrator.
Solved! Go to Solution.
Any indication of when it will be supported? It seems like an app/API issue. We're an educational institution that just deployed BYOD as a new service and now we're going to launch into the beginning of the semester with a popular phone not supported, which will damage public perception of the new service, and by extension their opinion of Cisco. I don't think anyone wants any of those things, so hoping for a quick solution to this.
Can we get an update from development on this one? It seems it's just an issue with Android 9 breaking the app. The client's MAC is recorded by the app as "02-00-00-00-00-00" in my case in the SPW.log. Seems like it's just an API change in 9.0, might just require a branch to detect 9.0 and use a different function to get the MAC -- not sure, but imagine it's probably not a difficult fix for Cisco.
I've already logged a TAC case but wanted to see if there has been any update on this. More people in our organization are getting Google Pixel 3 phones which come with Android 9 out of the box and are not able to connect to our corporate BYOD network. This is becoming a bigger problem as we are moving away from using PSK for our SSIDs.
Does the issue persist if you have client provisioning feed enabled in ISE and set to
Enable provisioning: Enable
Enable automatic download: enable
Update feed URL: https://www.cisco.com/web/secure/spa/provisioning-update.xml
Native supplicant provisioning policy unavailable: allow network access
TAC basically told me to make sure I had provisioning enabled (which I did, set to those settings above) and at some point our Pixel2 users started working with BYOD and EAP-TLS on ISE 2.4 p2+struts fix using the ISE internal CA. Not sure what fixed it, not sure if it's still broken on Pixel3 phones because I haven't had a pixel3 user come forward with the issue.
The dual-SSID BYOD with Android 9 should be working at this point, but you might get some benign error "Unable to connect. Please manually connect to SSID: ..."
The main issue we are working with Android dev team on CSCvm10640 is to be able to either forget or modify an existing SSID in the single-SSID BYOD flow.
Yes that's a good point: we're using dual-ssid BYOD, forgot to mention that.
Can you comment on what fixed it in the dual-ssid flow? Was it the provisioning feed update? I closed my TAC case because it was fixed but unfortunately they didn't seem to know what fixed it exactly; I just assumed it was the provisioning feed update as the only patch I applied to ISE 2.4p2 by that point was the struts fix.