This document is to provide any changes made to endpoint OS that impacts BYOD flow for end users.
Prior to troubleshooting endpoint issues, please follow these steps first:
If you see support OS issues - Update OS finger printing DB on ISE: This is done by going to Administration > System > Settings, Posture > Updates, then click ‘Update Now’ button. It may take ~ 10 minutes to complete. Although this update is for posture, BYOD flow leverages the same update to identify browser user agent string to get OS information from the client. This menu is available to setup even if the deployment does not have any Apex license.
For Android, make sure to download latest version of SPW app from the Google play store
For Windows and macOS, make sure to download latest SPW from Cisco to ISE and update Client Provisioning Policy to reflect the newer version of SPW
CSCvs21111 - androidQ with mdm and mac randomization issues
CSCvp32898 Day0: Android Qbeta is not able to complete the BYOD flow
Android 10 generates random MAC address every time a new connection profile is created. This results in few problems to the ISE BYOD flow
Dual SSID: You can no longer use MAC in SAN condition as the MAC address changes between the first connection during Open SSID and 802.1X SSID. Also, the burned-in MAC address is not visible within the My Devices Portal.
Single SSID: Even if the random MAC is enabled then SPW will capture the random MAC and use it as identity.
Android 9 (Pie)
If BYOD profile includes web proxy settings, SPW requires user to establish Android work profile if not already present on the endpoint
With single-SSID flow, user has to delete the SSID setting (That was used to connect with PEAP-MSCHAPv2) for EAP-TLS will function. User will be guided via overlay instructions
Android 6 (Marshmallow) and above
Uses EST instead of SCEP between the endpoint and ISE. Requires additional policies on ISE and also change to redirect ACL to allow EST server access from endpoint. Due to this change end users are required to enter network credential for EST authentication in addition to regular WebAuth/802.1X authentication
When non well known certificate is used for BYOD portal, iOS device requires the root CA certificate to be trusted prior to accepting rest of the profile
After on boarding disconnect from guest SSID and reconnect to secure SSID - apple doesn't give us hooks to change this
iPadOS defaults to desktop mode on the Safari browser which sends wrong user-agent string to be sent and causes iPads profiled as macOS to fix ipadOS issue for BYOD it requires new ISE patch to provide a way to choose your own OS on the BYOD page.
Bug ID CSCvr43077- there was an issue with iPadOS 13.x addressed in 2.6 patch 3, 2.4 patch 11 and 2.2 patch 16.
Now iOS device requires user to manually go to profile settings whereas before user was able to open profiles within the browser
Profile popup for root CA certificate and SCEP/WiFi profile popup happens back to back without user acknowledging
In a single-SSID flow, the iOS device is still connected with PEAP instead of EAP-TLS after CoA. User has to disable Wireless and re-enable it to connect with EAP-TLS
Trying for fix in 2.4 patch 9 (TBD) please contact TAC
Can anyone offer any guidance on a rule of thumb for how many ISE base/plus licenses would be typical for a school district that is interested in ISE for wired/wireless NAC including profiling? I'm thinking that there might be a rule of thumb based on stu...
Good day all, Currently we have deployed Cisco FMC 1600 with FTD 1020 and 2100 in HA respectively. We are running version 220.127.116.11. The FMC has been configured to sync time via NTP and is showing the correct time. The FTDs h...
I am having the issue with following below configuration and getting error. Please help me solve the issue. object-group network LERAPID7_Consolenetwork-object host 192.168.2.80object-group network LMRAPID7_Consolenetwork-object host 192.168.2.81obje...