08-08-2017 08:04 AM
I'm new to ISE and testing the BYOD onboarding process. I'll log in with an iPhone using AD credentials. Apple's Captive Network Assistant (CNA) will automatically bring up the BYOD portal page. I cancel out of CNA, because the browser is not supported. (I usually have to connect and cancel CNA twice before the "Use without Internet" option shows up.) Then, I'll navigate to a webpage with Safari, get redirected to the BYOD portal, and register the device. The phone now has a profile and can log in with the certificate. This part works.
Wanting to test different scenarios, I delete the profile off my phone. Then, I'll go into Context Visibility > Endpoints and delete the device from ISE.
I'll log back in using my AD credentials, since the profile with cert has been deleted. CNA kicks in and redirects me to the BYOD portal. (I am able to see the BYOD Portal page from CNA.) I cancel out of CNA, because that browser is not supported. Then, I'll navigate to a webpage with Safari and get redirected to the BYOD portal. However, the BYOD portal is not displayed, although I was seeing it from CNA. I get the error "Safari cannot open the page because it could not establish a secure connection to the server".
I have 4 Policy Service Nodes. I initially onboarded the device on PSN1. If I delete the profile and endpoint device, the BYOD portal page won't be displayed on PSN1. However, I can complete the onboarding process on PSN2 (making PSN2 the primary RADIUS server in WLC). If I delete the profile and endpoint device after registering on PSN2, the BYOD portal page won't be displayed on PSN2. Then, I can complete the onboarding process on PSN3 and so on and so forth. Basically, if I switch the PSN the WLC is using, I can re-register the phone.
Another thing I've noticed is that the phone shows up as a Registered Device in the RADIUS Logs, after it has been removed from Context Visibility > Endpoints. It also has the same Result > State of ReauthSession: with the same session number.
It seems like it still has a session on the PSN.
How can I completely remove it?
Thank you!
Sean
Solved! Go to Solution.
08-08-2017 12:40 PM
The process to start over is the following:
Remove the profile from the device
Disable the wifi on the device
Remove the wifi session on the WLC
Remove the endpoint from ISE
Please see this information on proper use of the apple mini browser for guest and BYOD
https://communities.cisco.com/docs/DOC-71469
https://communities.cisco.com/docs/DOC-71122
https://communities.cisco.com/docs/DOC-71398
08-08-2017 12:40 PM
The process to start over is the following:
Remove the profile from the device
Disable the wifi on the device
Remove the wifi session on the WLC
Remove the endpoint from ISE
Please see this information on proper use of the apple mini browser for guest and BYOD
https://communities.cisco.com/docs/DOC-71469
https://communities.cisco.com/docs/DOC-71122
https://communities.cisco.com/docs/DOC-71398
08-08-2017 07:39 PM
Thank you! Disabling the wifi and removing the wifi session on WLC appeared to be what I was missing.
08-10-2017 01:53 PM
These steps worked originally. However, I'm now having the same problem after removing the profile, disabling wifi on the device, removing the wifi session from wlc, and removing the endpoint from ISE.
08-11-2017 04:41 AM
I would recommend contacting the tac then for further assistance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide