1:

I'm running the very latest 8.1.102.0. My WLANS are local switched so I'm using flexconnect ACL and then DNS is not support. I could howerver change this to central switching. This is as I said a lab environment but it would be nice to have this feature in an flexconnect environment as well.

I actually did try to use DNS ACLs but it didnt work perhapse I used the wrong DNS names. Do you have the correct ones to use? Also when using DNS ACLs is it enough to open to ISE, DNS, DHCP and then block everything else, will the DNS option take care of everything else.

Update: I tried adding the Session:Device-OS EQUALS Android to a new rule above the BYOD_NOREG but it dosent seem to work. For some reason my android device dosent match that rule. Is there something additional I have to configure for it to work. If I check the endpoint mac adress I see thats its profiled as an Android device. Any suggestions?

2: I actually downloaded the app over 3g/4g prior to connect. During the onboarding when I reach the Google Play link I manually start the app. There I'm presented with the "Unable to download profile (Have you logged in to the quest portal?)" error. Looking in the spw log it seems that I discover the ISE without problem but then something happens.

ISE=10.0.0.31

DNS=10.0.0.20

Can it be a certificate trust issue?

I'm using the internal CA. I've acquired a public signed wildcard cert from startcom startssl (they are free) and there have been som issues with devices not having there root CA in there trusted store. But I think I have seen confiurations example with self-signed certificates so this should not be a problem but I'm not sure.

I also tried blocking the default gw and enroll.cisco.com in the redirect acl but that didnt help.

Do you have any other idea?

Update:

There seems to be som issue with Andorid 5.X Lollipop. I tried with 3 diffrent models all running Lollipop (Oneplus One, Sony Z3 Compact and LG G2) and all failed. Then I tried with an older Samsung S2 and then the Network Setup Assistant worked flawless!

However I'm still not matching the new rule with Session:DeviceOs==Android and I'm still not sure how the DNS-ACL rule should look like.

I have tested this in my lab with Galaxy S5 running Lollipop (5.0) and did not have any issues. My rules are:

1. If: RegisteredDevices AND EapAuthentication = EAP-TLS THEN Full Access

2. If: RegisteredDevices AND AD1:ExternalGroup = Ise-provision AND EapAuthentication = MSCHAPv2 AND EndPoints: LogicalProfile = Android_Device THEN NSP_Android

3. If: AD1:ExternalGroup = Ise-provision AND EapAuthentication = MSCHAP THEN NSP_Standard

4. Default = DenyAccess

The DNS ACL allows you to add DNS entries so you won't have to have a wide open (to the internet) ACL. For instance, you can provide an entry for play.google.com

Thank you for rating helpful posts!

I'm not matching the new rule with Session:DeviceOs=Android too. You created a rule based in LogicalProfile and Witch profilies you put in? I have a Samgung Android Smartphone and the profile is samsung-device for example.

My logical profile contains any Android devices. You should be getting that information along with the device OS via profiling. Can you confirm with me what you have configured for:

1. Device profiling > Under the advanced tab on the WLC WLAN?

2. Profiling Probes > In ISE

3. CoA Setting > In ISE under System > Settings > Profiling

Thank you for rating helpful posts!

1.
Radius Client > only HTTP (because DHCP Addr. Assignment is disable)
Local Client > HTTP and DHCP

2.
DHCP / HTTP / RADIUS / SNMPQUERY

3.
No CoA

The first time the device hit ISE, the profile is unknow, after the AAA success, than the ISE can profile the device. But the OS device session never match the policy...

Is it necessary ip helper-address point to ISE in the WLC's interface?
 

1. Unless you have static DHCP assigned devices then you should be OK to enable the DHCP profiler in your WLC. 

2. That looks good

3. I would change the CoA to "Re-Auth". Also, in the same section, do you have the "EndPoint Attribute Filter" enabled? 

Thank you for rating helpful posts!

What's the difference between CoA to Re-Auth?

No, I don't have the "EndPoint Attribute Filter" enabled.

The re-auth CoA setting will force the device to re-auth each time it gets profiled to a different device. For instance, a device first tries to authenticate and it is uknown but gets profiled as Cisco device. ISE will issue a CoA re-auth and now the device will try to authenticate again. If during that process the device gets profiled to let's say Cisco-IP-Phone then a re-auth will be issued again. During that process the device gets profiled as a Cisco-IP-Phone-7940 a re-auth will happen again...this will continue until the device is profiled at its final stage. 

Thank you for rating helpful posts!

Nice, I will try it. And the option "EndPoint Attribute Filter", Is it necessary be enabled?

Sounds good. Let me know if this helps. At this point I would keep the Attribute Filter disabled. 

Hoping to bring this thread alive again!

I need your input Neno.

After a long parental leave I'm back and still facing some problems with Android devices.

I've configured the logical profile: Android but I'm having difficulties matching the correct rule. At the moment I'm using a singel-ssid onboarding procedure and when an Android device connects it skips the rule with the logical profile and goes direct to the generic rule. During this time I se that the device eventually gets profiled as an Android device but I do not see any COA. If the clients just idles then about 10 minutes later I do see that it matches the Android rule but that’s not fast enough.

Profiling settings is set to REAUTH but it seems that this doesn’t happen fast enough.

Also I've tried the URL-filter in WLC but it dosn't seem to work.