05-06-2016 01:58 AM
Solved! Go to Solution.
05-07-2016 12:47 AM
In the BYOD flow, ISE does not connect or proxy the requests to either Google Play or Apple App store. Instead, ISE orchestrates the authorization profiles, which usually include some access list, and/or DACL, to grant to a client on the NAD. The issue you are describing looks like a problem with ACL. I would suggest you to take a PCAP capture over the air. Google Play uses regional/local-significant content distribution network, which may span over several IP network ranges and DNS domain names. Another solution is to provide Internet access during the provisioning or at least for download the app.
To your question on 60 minutes after revoking a certificate, it seems related to ISE anomalous client detection, which has a default rejection interval of 60 minutes.
To your question on varying the numbers of registered devices by some user criteria, this is not currently supported. Please direct this to ISE product management team.
05-07-2016 12:47 AM
In the BYOD flow, ISE does not connect or proxy the requests to either Google Play or Apple App store. Instead, ISE orchestrates the authorization profiles, which usually include some access list, and/or DACL, to grant to a client on the NAD. The issue you are describing looks like a problem with ACL. I would suggest you to take a PCAP capture over the air. Google Play uses regional/local-significant content distribution network, which may span over several IP network ranges and DNS domain names. Another solution is to provide Internet access during the provisioning or at least for download the app.
To your question on 60 minutes after revoking a certificate, it seems related to ISE anomalous client detection, which has a default rejection interval of 60 minutes.
To your question on varying the numbers of registered devices by some user criteria, this is not currently supported. Please direct this to ISE product management team.
05-07-2016 05:09 AM
To expand on hsing comment on allowing Internet to download the app for android, this can be accomplished a few different ways
in the redirect state when device is profiled as android you can allow all internet, since these are your employees then that should be fine, you could also return an authz profile that times out the session after 15 min so they aren't allowed to do this forever
another option is dual SSID on boarding
have the user connect to secure ssid for on boarding which gives limited to email and maybe internet but if they want access to internal resources then they will be redirected to go through byod flow
a third is have the user download the app before connecting to the network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide