Solved: Re: Issues deauthenticating android TV in ISE

SupportAC · ‎12-03-2020

Hi,

We have several Android TVs (OS Android 7.1.2 ) where 6 months after installed the TV were deauthenticated. TVs were connected by wifi but with no internet access. TVs needed to enter the credential WIFI again to work on internet.

TVs are connected to WLC and send radius requests to ISE (MAB).

In ISE Radius report, i can see like the day which stop internet the "endpoint profile" changes from ANDROID to UNKNOWN. it could be the trigge??

Is there any session time for 6 months configure in ISE or WLC?

any idea?

Mike.Cifelli · ‎12-03-2020

A couple of things to consider: Take a peek at your global profiling coa setting to see if you have it set to reauth after an endpoint profile change (Administration->System->Settings->Profiling). Here are your options:

No CoA (default)—You can use this option to disable the global configuration of CoA. This setting overrides any configured CoA per endpoint profiling policy. If the goal is only visibility, retain the default value as No CoA.
Port Bounce—You can use this option, if the switch port exists with only one session. If the port exists with multiple sessions, then use the Reauth option. If the goal is to immediately update the access policy based on profile changes, select the Port Bounce option, this will ensure that any clientless endpoints is reauthorized, and IP address is refreshed, if required.
Reauth—You can use this option to enforce reauthentication of an already authenticated endpoint when it is profiled. Select the Reauth option, if no VLAN or address change is expected following the reauthorization of the current session.

I would recommend identifying unique attributes you can utilize to create a custom profile for your android tvs. Make sure you set the MCF higher to ensure the tvs get properly profiled and eliminate the possibility of profile changes. See here for assistance: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

HTH!

View solution in original post

Mike.Cifelli · ‎12-03-2020

A couple of things to consider: Take a peek at your global profiling coa setting to see if you have it set to reauth after an endpoint profile change (Administration->System->Settings->Profiling). Here are your options:

No CoA (default)—You can use this option to disable the global configuration of CoA. This setting overrides any configured CoA per endpoint profiling policy. If the goal is only visibility, retain the default value as No CoA.
Port Bounce—You can use this option, if the switch port exists with only one session. If the port exists with multiple sessions, then use the Reauth option. If the goal is to immediately update the access policy based on profile changes, select the Port Bounce option, this will ensure that any clientless endpoints is reauthorized, and IP address is refreshed, if required.
Reauth—You can use this option to enforce reauthentication of an already authenticated endpoint when it is profiled. Select the Reauth option, if no VLAN or address change is expected following the reauthorization of the current session.

I would recommend identifying unique attributes you can utilize to create a custom profile for your android tvs. Make sure you set the MCF higher to ensure the tvs get properly profiled and eliminate the possibility of profile changes. See here for assistance: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

HTH!