This document is to provide any changes made to endpoint OS that impacts BYOD flow for end users.
Prior to troubleshooting endpoint issues, please follow these steps first:
If you see support OS issues - Update OS finger printing DB on ISE: This is done by going to Administration > System > Settings, Posture > Updates, then click ‘Update Now’ button. It may take ~ 10 minutes to complete. Although this update is for posture, BYOD flow leverages the same update to identify browser user agent string to get OS information from the client. This menu is available to setup even if the deployment does not have any Apex license.
For Android, make sure to download latest version of SPW app from the Google play store
For Windows and macOS, make sure to download latest SPW from Cisco to ISE and update Client Provisioning Policy to reflect the newer version of SPW
CSCvp32898 Day0: Android Qbeta is not able to complete the BYOD flow
Android 9 (Pie)
If BYOD profile includes web proxy settings, SPW requires user to establish Android work profile if not already present on the endpoint
With single-SSID flow, user has to delete the SSID setting (That was used to connect with PEAP-MSCHAPv2) for EAP-TLS will function. User will be guided via overlay instructions
Android 6 (Marshmallow) and above
Uses EST instead of SCEP between the endpoint and ISE. Requires additional policies on ISE and also change to redirect ACL to allow EST server access from endpoint. Due to this change end users are required to enter network credential for EST authentication in addition to regular WebAuth/802.1X authentication
Not in our control, Apple decision
When non well known certificate is used for BYOD portal, iOS device requires the root CA certificate to be trusted prior to accepting rest of the profile
After on boarding disconnect from guest SSID and reconnect to secure SSID - apple doesn't give us hooks to change this
Now iOS device requires user to manually go to profile settings whereas before user was able to open profiles within the browser
Profile popup for root CA certificate and SCEP/WiFi profile popup happens back to back without user acknowledging
In a single-SSID flow, the iOS device is still connected with PEAP instead of EAP-TLS after CoA. User has to disable Wireless and re-enable it to connect with EAP-TLS
Trying for fix in 2.4 patch 9 (TBD) please contact TAC
I am replacing my SonicWall with FMC(126.96.36.199)/FTD 2110's (188.8.131.52). And trying to configure a "transparent mode" interface. I am in Routed mode, 1/1 is my WAN (184.108.40.206/24), I'd like interface 1/8 to be in transparent mode DMZ, so I don't have to w...
i have ISE setup for wired users . EAP-chaining using machine certificate and user credentials form active directory . the requirements is when the active directory is down we need the ISE to fall back to internal database and maintain the operation by an...
Hi there, We have configured our CES for Spam Quarantine and we have enabled Spam Notification to be sent from email@example.com to all recipients, however, the Spam Notification always comes form this email address :firstname.lastname@example.org...