Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5660
Views
19
Helpful
8
Replies

ISE BYOD with Android device

Go to solution
Ibrahim Jamil Jamus
Level 1
Level 1

‎05-30-2013 06:09 AM - edited ‎03-10-2019 08:29 PM

hi

i deployed ISE for BYOD and its working fine for windows and Apple devices. the issue is with android. sometimes i can register the devices in MY DEVICES portal and ISE will redirect me to download the network assistant tool. and sometimes it refuses to register the devices and its showing this error for some devices "unsupported operating system type encountered" and showing this error for the others "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator"

does anyone know how to solve this issue?

thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Atkin
Level 4
Level 4
In response to Ibrahim Jamil Jamus

‎05-31-2013 06:03 AM

Ok, so the obvious things for the first part of the problem are;

Is the Android Client using a supported OS? Check here;

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321

Are you using the latest Supplicant Provisioning plugins in ISE? And are you using the latest version of ISE?

Do the failing Clients have anything in common? Same hardware, OS Version, etc?

The second issue, where  you get "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator" is typically caused by one of three things.  Either your Client has been idle for too long and the session has timed out, the ISE hasn't been able to Profile your device yet (and so doesn't know how to provision it), or you haven't configured ISE with an Android Supplicant Provisioning config.

Finally, I've had that last problem before, albeit on a different handset, I missed some ports/protocols/hosts on my ACL

View solution in original post

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-01-2013 05:14 AM

Ibrahim,

The "View Full Website" option available in many mobile browsers causes it to send false information regarding the OS in use so sending a false OS interferes with the  self-provisioning flow on ISE, preventing the registration of the device.

Disable the "View Full Website" (or similar) option during the registration process and see if it helps.

I think there was an enhancement filed regarding the same, will find and provide you the same.

Regards,

Jatin

-Do rate helpful posts-

~Jatin

View solution in original post

8 Replies 8

Go to solution
Richard Atkin
Level 4
Level 4

‎05-30-2013 09:27 AM

Which ports and protocols have you allowed out to the Internet?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Ibrahim Jamil Jamus
Level 1
Level 1
In response to Richard Atkin

‎05-31-2013 04:42 AM

well i opened all the ports to google, samsung, and sony App Stores Public IP addresses.

btw i want to add another issue. when Android devices register with ISE, then ISE redirect the device to play.google.com to download the Network Assistant tool. the device can download the software but it can't install it because the file type is not recognized by the device.

Note: i made the test with Sony Xperia

0 Helpful

Go to solution
Richard Atkin
Level 4
Level 4
In response to Ibrahim Jamil Jamus

‎05-31-2013 06:03 AM

Ok, so the obvious things for the first part of the problem are;

Is the Android Client using a supported OS? Check here;

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321

Are you using the latest Supplicant Provisioning plugins in ISE? And are you using the latest version of ISE?

Do the failing Clients have anything in common? Same hardware, OS Version, etc?

The second issue, where  you get "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator" is typically caused by one of three things.  Either your Client has been idle for too long and the session has timed out, the ISE hasn't been able to Profile your device yet (and so doesn't know how to provision it), or you haven't configured ISE with an Android Supplicant Provisioning config.

Finally, I've had that last problem before, albeit on a different handset, I missed some ports/protocols/hosts on my ACL

Go to solution
Ibrahim Jamil Jamus
Level 1
Level 1
In response to Richard Atkin

‎06-01-2013 12:18 AM

That Richard for your reply.

here is the answers for your questions.

Is the Android Client using a supported OS?

yes it is.

Are you using the latest Supplicant Provisioning plugins in ISE? And are you using the latest version of ISE?

im using 1.1.4.218, and i think i have the latest supplicant provisioning plugins cause i run the updates almost every week and i cant find any newer plugins. is there is any Cisco document that has the latest plugins versions.

Do the failing Clients have anything in common? Same hardware, OS Version, etc?

no, diffirent hardware and OS versions.

For the second issue, yes it was because of the max. idle time.

for the third one, can you tell me what do i have to add more to the ACLs.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-01-2013 05:14 AM

Ibrahim,

The "View Full Website" option available in many mobile browsers causes it to send false information regarding the OS in use so sending a false OS interferes with the  self-provisioning flow on ISE, preventing the registration of the device.

Disable the "View Full Website" (or similar) option during the registration process and see if it helps.

I think there was an enhancement filed regarding the same, will find and provide you the same.

Regards,

Jatin

-Do rate helpful posts-

~Jatin

Go to solution
Ibrahim Jamil Jamus
Level 1
Level 1
In response to Jatin Katyal

‎06-02-2013 01:40 AM

Jatin,

thanks for your reply. really appreciate your effort.

but in my case i have 5000 users and more than 10000 endpoints. you can do the math . i guess there is something missing here.

for the other issues, The reason is the ACL, i didnt permit the access to all play.google.com IP addresses. so it was my mistake.

thanks alot guys for your help.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Ibrahim Jamil Jamus

‎06-02-2013 02:00 AM

10000 endpoints with this issue...I understand :)

I was able to find a product enhancement request on this matter.

CSCud86946    Add hint to SPP "OS Not Supported" page re:Android "Full Website" option

From the description of the Enhancement:

This is an enhancement request to add a message to Android users prompting them to investigate whether this type of option is set in their web browser. Long term, it would be ideal if we had a more graceful way to handle this issue but adding a simple message to the user should improve their experience through self help.

You may contact your cisco  accounts team so that they can talk to ISE BU to get this addresses soon.

Have a blessed day !!!

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
Ibrahim Jamil Jamus
Level 1
Level 1
In response to Jatin Katyal

‎06-02-2013 02:57 AM

well not all the 10000 devices are android devices. but it should be a huge number .

btw i tried to register the devices with this error from a diffirent browser and it works for me. PS: i used the devices default browser.

thanks again bro for your effort.

im still stuck with the "Package is invalid" error when i download Network setup tool from the BYOD SSID guys. if anyone know what is the solution please let me know.

0 Helpful
Customers Also Viewed These Support Documents