cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

ISE BYOD Endpoint notes

1275
Views
0
Helpful
0
Comments

 

This document is to provide any changes made to endpoint OS that impacts BYOD flow for end users.

 

Prior to troubleshooting endpoint issues, please follow these steps first:

  • If you see support OS issues - Update OS finger printing DB on ISE: This is done by going to Administration > System > Settings, Posture > Updates, then click ‘Update Now’ button. It may take ~ 10 minutes to complete. Although this update is for posture, BYOD flow leverages the same update to identify browser user agent string to get OS information from the client. This menu is available to setup even if the deployment does not have any Apex license.
  • For Android, make sure to download latest version of SPW app from the Google play store
  • For Windows and macOS, make sure to download latest SPW from Cisco to ISE and update Client Provisioning Policy to reflect the newer version of SPW

 

Android devices

Android 10

CSCvs21111 - androidQ with mdm and mac randomization issues

CSCvp32898 Day0: Android Qbeta is not able to complete the BYOD flow 

Android 10 generates random MAC address every time a new connection profile is created. This results in few problems to the ISE BYOD flow

  • Dual SSID: You can no longer use MAC in SAN condition as the MAC address changes between the first connection during Open SSID and 802.1X SSID. Also, the burned-in MAC address is not visible within the My Devices Portal.
  • Single SSID: Even if the random MAC is enabled then SPW will capture the random MAC and use it as identity.

Android 9 (Pie)

  • If BYOD profile includes web proxy settings, SPW requires user to establish Android work profile if not already present on the endpoint
  • With single-SSID flow, user has to delete the SSID setting (That was used to connect with PEAP-MSCHAPv2) for EAP-TLS will function. User will be guided via overlay instructions

Android 6 (Marshmallow) and above

  • Uses EST instead of SCEP between the endpoint and ISE. Requires additional policies on ISE and also change to redirect ACL to allow EST server access from endpoint. Due to this change end users are required to enter network credential for EST authentication in addition to regular WebAuth/802.1X authentication

 

iOS devices

General

 

  • When non well known certificate is used for BYOD portal, iOS device requires the root CA certificate to be trusted prior to accepting rest of the profile

  • Dual SSID

    • After on boarding disconnect from guest SSID and reconnect to secure SSID - apple doesn't give us hooks to change this

iPadOS 13

iPadOS defaults to desktop mode on the Safari browser which sends wrong user-agent string to be sent and causes iPads profiled as macOS to fix ipadOS issue for BYOD it requires new ISE patch to provide a way to choose your own OS on the BYOD page.

Bug ID CSCvr43077- there was an issue with iPadOS 13.x addressed in 2.6 patch 3, 2.4 patch 11 and 2.2 patch 16.

12.2

  • Now iOS device requires user to manually go to profile settings whereas before user was able to open profiles within the browser
  • Profile popup for root CA certificate and SCEP/WiFi profile popup happens back to back without user acknowledging
  • In a single-SSID flow, the iOS device is still connected with PEAP instead of EAP-TLS after CoA. User has to disable Wireless and re-enable it to connect with EAP-TLS
  • Trying for fix in 2.4 patch 9 (TBD) please contact TAC
    • CSCvp54992   BYOD provisioned profile doesn't automatically configure EAP TLS in IOS 12.2
    • CSCvp54949   BYOD flow is broken in IOS 12.2 
    • CSCvo58362   Day0: IOS 12.2 is not able to install Certificate/profile Automatically 
    •  

       

VIDEO (NO AUDIO)

(view in My Videos)

 

macOS

10.12 (High Sierra)

  • When CNA BYOD (mini browser) flow is used, and when user clicks on the hyperlink in the CNA browser, instead of opening up full browser, it opens up within the CNA browser which breaks the BYOD flow.

 

ChromeOS

Version 76

  • BYOD flow is successful, but endpoint cannot connect to the network provisioned by NSP

General certificate guidance

In order for BYOD to work correctly across BYOD and mobile devices need to adhere to the following:

  • Well known certificate (no self-signed)
  • Beware of Cross-signing issues, another root CA is cross-signing for a different CA intermediary cert
    • Customer should view the cert chain before buying the cert
  • Apple iOS device issue with Godaddy G2 certificates with 4 chain cert
    • Cisco is investigating with Apple but we haven't determined if this is apple or Godaddy issue - as of 12/5/19
      • FB7443832 (apple case) - iPhone is not working with a certificate chain with 4 or more certificates
    • CSCvo13951 ISE BYOD Apple Mac will not work with a certificate chain with 4 or more certificates 
      • Duplicated CSCvr83823 with CSCvo13951.

Example of working vs. not working chains. We don't endorse or promote any specific provider.

certchainbyodssl.png

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here