cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3197
Views
0
Helpful
4
Replies

How to remove a BYOD Registered Device

Sean
Level 1
Level 1

I'm new to ISE and testing the BYOD onboarding process.  I'll log in with an iPhone using AD credentials.  Apple's Captive Network Assistant (CNA) will automatically bring up the BYOD portal page.  I cancel out of CNA, because the browser is not supported.  (I usually have to connect and cancel CNA twice before the "Use without Internet" option shows up.)  Then, I'll navigate to a webpage with Safari, get redirected to the BYOD portal, and register the device.  The phone now has a profile and can log in with the certificate.  This part works.

Wanting to test different scenarios, I delete the profile off my phone.  Then, I'll go into Context Visibility > Endpoints and delete the device from ISE. 

I'll log back in using my AD credentials, since the profile with cert has been deleted.  CNA kicks in and redirects me to the BYOD portal.  (I am able to see the BYOD Portal page from CNA.)  I cancel out of CNA, because that browser is not supported.  Then, I'll navigate to a webpage with Safari and get redirected to the BYOD portal.  However, the BYOD portal is not displayed, although I was seeing it from CNA.  I get the error "Safari cannot open the page because it could not establish a secure connection to the server".

I have 4 Policy Service Nodes.  I initially onboarded the device on PSN1.  If I delete the profile and endpoint device, the BYOD portal page won't be displayed on PSN1.  However, I can complete the onboarding process on PSN2 (making PSN2 the primary RADIUS server in WLC).  If I delete the profile and endpoint device after registering on PSN2, the BYOD portal page won't be displayed on PSN2.  Then, I can complete the onboarding process on PSN3 and so on and so forth.  Basically, if I switch the PSN the WLC is using, I can re-register the phone.

Another thing I've noticed is that the phone shows up as a Registered Device in the RADIUS Logs, after it has been removed from Context Visibility > Endpoints.  It also has the same Result > State of ReauthSession: with the same session number. 

It seems like it still has a session on the PSN.

How can I completely remove it?

Thank you!

Sean

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

The process to start over is the following:

Remove the profile from the device

Disable the wifi on the device

Remove the wifi session on the WLC

Remove the endpoint from ISE

Please see this information on proper use of the apple mini browser for guest and BYOD

https://communities.cisco.com/docs/DOC-71469

https://communities.cisco.com/docs/DOC-71122

https://communities.cisco.com/docs/DOC-71398

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee

The process to start over is the following:

Remove the profile from the device

Disable the wifi on the device

Remove the wifi session on the WLC

Remove the endpoint from ISE

Please see this information on proper use of the apple mini browser for guest and BYOD

https://communities.cisco.com/docs/DOC-71469

https://communities.cisco.com/docs/DOC-71122

https://communities.cisco.com/docs/DOC-71398

Thank you!  Disabling the wifi and removing the wifi session on WLC appeared to be what I was missing.

These steps worked originally.  However, I'm now having the same problem after removing the profile, disabling wifi on the device, removing the wifi session from wlc, and removing the endpoint from ISE.

I would recommend contacting the tac then for further assistance