ISE BYOD allows administrators to push digital certificates and network settings to the personal endpoints that user brings in to the managed network in a secure way. For Android device and Chromebook, it requires endpoint access to the Google playstore and Chrome extensions while going through the ISE BYOD process. This is different from Apple iDevice, MacOSX, and Windows BYOD process. For Apple iDevice ISE leverages native OTA capabilities to provision certificates and network settings, and for MacOSX and Windows ISE provides Network Setup Assistant that is pushed to the endpoint locally from the ISE node which does not require endpoint access beyond the ISE node itself.
To allow the Android devices and Chromebook to download the Network Setup Assistant, the easiest way to control access to the Google playstore and Chrome extension is via DNS ACL feature available on Cisco WLC 7.6 and above. This feature works by snooping the endpoint DNS request from the AP and dynamically inserting IP ACL for the DNS response that endpoint gets from the DNS server. Aside from the WLC version, here are additional notes around this feature:
The ACL prepends and appends wildcard which means a string value of .google.co will match play.google.com and also www.google.co.ca
Not supported on FlexConnect locally switched WLAN
Not supported on auto-anchored WLAN
WLC AireOS version 8.2 and above can support up to 20 DNS ACE while previous versions can support up to 10 DNS ACE
Due to the last note above, it is important to craft an ACL that is less than 10 ACE to support an environment with different version of WLC. Here is an ACL that works for both the android devices and Chromebooks:
If the ACL is used for Android devices only and not for Chromebooks, then last two ACE can be removed. If additional space for entry is needed then android.pool.ntp.org can also be replaced with an IP based ACE to allow NTP traffic.
For more information on the DNS ACL please check out the Cisco WLC 7.6 release note:
We have three ISE nodes, AN-PRI-ISEPrimary ISE at DCall personas enabled ie. Admin, PSN & MnTAN-SEC-ISESecondary at DCall personas enabled ie. Admin, PSN & MnTDR-ISEHealth Check Node at DRonly PSN is enabled We are using ISE 2.4 with Pat...
HI, I have this weird issue. We have an ASA 5525 and an FMC managing those SFR.Current version of the ASA is 9.8(4) and the FMC has ver. 6.7.0.What happens is the there are some sites that users cannot access.When I checked the logs via ASDM, I see s...
Hi,we have a FMC ver 22.214.171.124 and FTD 5516-x both have been workingCurrently FTD is working with 4 interfaces (outside,outside2,inside,LAN-B,LAN-c). LAN-B and LAN-C are the new interfacesFor hosts the default gateway is a router that also hande MPLS connec...
Hello, When I recently became unable to print on my LAN, and I did some troubleshooting, I realized that 3 copies of the Anyconnect Socket Filter load automatically after each restart, without me having to run the Anyconnect app. It occurs...