Solved: ISE Guest with BYOD Call Flow

Vivek Ruhil · ‎05-06-2016

As per the call flow, ISE needs to connect with Google Play Store and download our network assistance app. The problem they are facing is that ISE is not able to connect with Play store for some devices and for some devices it does connect but the user has access to all the play store apps. Whereas for Apple play store it downloads the app just fine. Any thoughts on this ?
Customer is doing authorisation based on certificates, once he revokes a certificate it takes 60 minutes before the same user can re register through the whole process. Is there a way that this time can be reduced ?
In the BYOD call flow, can we have differentiated access for users. Meaning user 1 can only have one device accessing internet but user 2 with higher privilege can have 2 devices.

hslai · ‎05-07-2016

In the BYOD flow, ISE does not connect or proxy the requests to either Google Play or Apple App store. Instead, ISE orchestrates the authorization profiles, which usually include some access list, and/or DACL, to grant to a client on the NAD. The issue you are describing looks like a problem with ACL. I would suggest you to take a PCAP capture over the air. Google Play uses regional/local-significant content distribution network, which may span over several IP network ranges and DNS domain names. Another solution is to provide Internet access during the provisioning or at least for download the app.

To your question on 60 minutes after revoking a certificate, it seems related to ISE anomalous client detection, which has a default rejection interval of 60 minutes.

To your question on varying the numbers of registered devices by some user criteria, this is not currently supported. Please direct this to ISE product management team.

View solution in original post

hslai · ‎05-07-2016

In the BYOD flow, ISE does not connect or proxy the requests to either Google Play or Apple App store. Instead, ISE orchestrates the authorization profiles, which usually include some access list, and/or DACL, to grant to a client on the NAD. The issue you are describing looks like a problem with ACL. I would suggest you to take a PCAP capture over the air. Google Play uses regional/local-significant content distribution network, which may span over several IP network ranges and DNS domain names. Another solution is to provide Internet access during the provisioning or at least for download the app.

To your question on 60 minutes after revoking a certificate, it seems related to ISE anomalous client detection, which has a default rejection interval of 60 minutes.

To your question on varying the numbers of registered devices by some user criteria, this is not currently supported. Please direct this to ISE product management team.

Jason Kunst · ‎05-07-2016

To expand on hsing comment on allowing Internet to download the app for android, this can be accomplished a few different ways

in the redirect state when device is profiled as android you can allow all internet, since these are your employees then that should be fine, you could also return an authz profile that times out the session after 15 min so they aren't allowed to do this forever

another option is dual SSID on boarding

have the user connect to secure ssid for on boarding which gives limited to email and maybe internet but if they want access to internal resources then they will be redirected to go through byod flow

a third is have the user download the app before connecting to the network