Hi ISE experts
I'm currently facing an issue with the BYOD provisioning for Android devices.
Background: The supplicant policies have already been configured under the authorization policy in ISE. So far, the other devices are provisioning and onboarding without any issue. The Android devices are able to download the Cisco Network Setup Assistant however when trying to download the supplicant profile, an error message stating "Unable to detect Server. Please ensure your network access device is configured to redirect enroll.cisco.com to ISE" On the NSP_GOOGLE_ACL, i have already permitted 72.163.0.0 but still the issue persists.
WLC - 8.0.133
ISE - 2.2 Patch 2
Based on the Android workflow which was published in Using Certificates for Differentiate Access with Cisco Identity Services Engine, the flow stopped as shown in the image below.
When checking the spw.log on the android device, it shows that the gateway is unreachable.
2017.08.29 10:27:16 ERROR:java.net.SocketTimeoutException: failed to connect to /10.8.12.1 (port 80) after 2000ms
2017.08.29 10:27:16 ERROR:failed to connect to /10.8.12.1 (port 80) after 2000ms
2017.08.29 10:27:19 ERROR:DiscoverAsynchTask
2017.08.29 10:27:19 ERROR:java.net.SocketTimeoutException: failed to connect to enroll.cisco.com/72.163.1.80 (port 80) after 2000ms
2017.08.29 10:27:19 ERROR:failed to connect to enroll.cisco.com/72.163.1.80 (port 80) after 2000ms
2017.08.29 10:27:19 ERROR:Unable to discover ISE Server
2017.08.29 10:27:19 INFO:Internal system error.
I would like to know if we are actually suppose to use the NSP-ACL-GOOGLE to download the supplicant profile and certificate.
Somehow if the device is on the CWA Redirection ACL , it's able to download the supplicant profile without any issues.
Has anyone experienced this issue before?
Thanks
Regards
Ryan
