ISE 2.1: Issue onboarding devices on Android 7 Nougat

Tim Verscheure · ‎10-06-2016

Dear all,

I'm setting up a dual-ssid onbarding system using Cisco ISE 2.1 (Patch 1). However I am having issues onboarding certain devices, especially the ones on the latest Android version. The guest portal with BYOD enabled is reachable up to the point where I need to download Cisco Network Setup Assistant.

Issue 1: I'm not able to download NSA from within the BYOD device registration portal. I added the following android playstore URL's in the redirect ACL using DNS names:

*.ggpht.com

play.google.com

android.clients.google.com

Issue 2: Via an accessible network I downloaded NSA and installed it manually. Then I test it by 1) joining the provisioning SSID, 2) logging in successfully using AD credentials, 3) when he displays me to download NSA, I manually open NSA and start provisioning. This fails because he can not find the server.

Setup:

ISE VM: 2.1 (patch 1)

WLC: 8.2.121.0

1. SSID "BYOD-PROVISIONING":

L2 sec.: none, mac filtering enabled.

Adv.: "Allow AAA override" and "NAC State=ISE NAC"

2. SSID "BYOD-TLS":

L2 sec.: wpa2/aes/dot1x

Adv.: "Allow AAA override" and "NAC State=ISE NAC"

For both SSID of course the radius server was added for auth and acct.

COA was enabled for ISE server.

I'm a little stuck here.

Does anyone have good troubleshooting tips for Android devices?

alberx · ‎12-19-2016

In the redirect ACL you must permit access to the PSN ISE server by the 8443 port.

I have all this to allow access Google Play:

*.clients.google.com

play.google.com

clients.google.com

*ggpht.com

*.gght.com

*.store.google.com

*.google.com

*.l.google.com

*.googleusercontent.com

Also you can check in your endpoint the file SPW.log to view where it fails (/sdcards/downloads/spw.log).

Tim Verscheure · ‎12-23-2016

I tried using your recommendations regarding the URL's but unfortunately downloading the app through the webbased playstore remains troublesome:

- Whenever I install the app offline and I re-run the onboarding process, when I get to the "download supplicant" part, it says it says I can install the app.

- Whenever I remove the app and then re-run the onboarding process, when I get to the "download supplicant" part, it says it says the app is already installed.

This makes no sense.

I tried downloading my spw.log file but it remained empty except for the following lines:

2016.12.23 13:51:59 INFO:About to apply random number generator fix, if necessary.
2016.12.23 13:51:59 INFO:Done applying random number generator fix.

That's it. The weird thing is, I downloaded an older version of this supplicant, i.e. 2.1.0.50, and I installed it manually. Suddenly it worked! I looked at my spw.log file. Now it is properly filled with other messages.

I updated my app via the playstore (outside the onboarding process) to the latest 2.1.0.51 and now this works as well...

The plot thickens...

Any comments from Cisco Development perhaps?

rchockeelopez · ‎02-16-2017

got same issues with onboarding few androids in the google play page. When I press the google play button it disconnects from the Wifi connection.

Hope you can help.

alberx · ‎02-17-2017

I had the same problen, and in my case everything started to work when I updated posture and profiler services.

Administration --> Settings --> Posture --> Updates

Administration --> Feed Service --> Profiler

With the latest versions ISE started to recognise Android 7 correctly and onboarding was successfull.

Hope that helps.

Phil Neil · ‎12-19-2016

Hey,

Did you have any luck with this?

I'm experiencing the same issue with a customers deployment.

Not so worried about issue #1 I think I can get that working.

Issue #2 though I'd like to know you you resolved this?

Phil Neil · ‎02-17-2017

Cisco releasing a new version of the Android network assistant resolved the cannot find server issue.

I still couldn't get the network assistant to download through the onboarding process.

I've noticed is that DNS ACL is broken in a fair few version of the WLC software.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus61445/?referring_site=bugquickviewredir

8.0.121 it's broken.

I'm upgrading our controller to 8.0.140 to resolve this then I think Android onboarding should work seamlessly.

Matteo Abrile · ‎02-20-2017

Hello,
I solve problem... I download it before start with onbloarind, using 3/4G network, then start onboard.

Bye

M.