I want Implementing Byod solution to
wism(1) with code 7.0.220 + ISE 1.1.4
because 7.0.220 dont support Open + MAC Filtering + radius NAC for dual ssid
therefore it's only support single ssid solution...
It's work with iphone and ipad and win7
but android fail
android alway show cant not detec ISE server
android spw.log just log can not detect ISE only
with wireshark see android send few packet to it's default(android's) gateway port:80 and enroll.cisco.com :80
seems wism did not redirect the packet to ISE....??
does any one sucess on single ssid on wism(7.0.220) with android ??
You need to allow tcp 8905 in your acl.
Sent from Cisco Technical Support iPad App
It's my ACL add permit 8905
1.permit tcp 8905 any any
2.permit source ip = (ISE IP) any any
3 permit dest ip=(ISE IP) any any
3.permit dns any any
4.permit dhcp any any
6.permit googleplay any any
7. deny any any
still not working on android!!
did you get this to work? only way i could was to open port 80 to google and allow some TW IP which users are redirected to when they download the app
You are better off opening all access to google. This is what is recommended by cisco as well in some of the design guides.
*Please rate helpful posts*
but even opening all ports to google, which i dont like i wasnt able to get this to work. so i did a packet capture and found googleplay didnt have the wifi supplicant and users were getting redirect to 188.8.131.52. so i had to open access to that. after playing with my ACL i found i only had to open http and https to google, which still isnt a solution since most people use google as their default search engine and will only be redirected to the device registration page when they try to browse to something outside of google. you said that cisco has guides that say you need to open all access to google, do you have a link? the guides i found didnt mention that but mentioned other ports that i found are not required.
I will try searching for the guides and the ports that are in the guide are not accurate much like you referenced. This was brought up while I was at a partner event at Cisco. If this is a problem with your customer as it is with mine, I create a playbook for onboarding android users and explicity explain that users must reach out to yahoo.com to trigger the redirection scenario.
Much like you found with your packet capture the ports highlighted in the current guides are not accurate to allow sufficient access to the google playstore and most communication is done over 80 and 443.
*Please rate helpful posts*
It's work download app only..
I allow any any to google ip (74.125.x.x) ( which ping play.google.com from my isp dns)
I can download app and install it
but most important is fail
EXEC cisco network assistant
it's always show can not detect ISE server..
WLC 4400 or WISM not support single ssid for android