ISE BYOD allows administrators to push digital certificates and network settings to the personal endpoints that user brings in to the managed network in a secure way. For Android device and Chromebook, it requires endpoint access to the Google playstore and Chrome extensions while going through the ISE BYOD process. This is different from Apple iDevice, MacOSX, and Windows BYOD process. For Apple iDevice ISE leverages native OTA capabilities to provision certificates and network settings, and for MacOSX and Windows ISE provides Network Setup Assistant that is pushed to the endpoint locally from the ISE node which does not require endpoint access beyond the ISE node itself.
To allow the Android devices and Chromebook to download the Network Setup Assistant, the easiest way to control access to the Google playstore and Chrome extension is via DNS ACL feature available on Cisco WLC 7.6 and above. This feature works by snooping the endpoint DNS request from the AP and dynamically inserting IP ACL for the DNS response that endpoint gets from the DNS server. Aside from the WLC version, here are additional notes around this feature:
The ACL prepends and appends wildcard which means a string value of .google.co will match play.google.com and also www.google.co.ca
Not supported on FlexConnect locally switched WLAN
Not supported on auto-anchored WLAN
WLC AireOS version 8.2 and above can support up to 20 DNS ACE while previous versions can support up to 10 DNS ACE
Due to the last note above, it is important to craft an ACL that is less than 10 ACE to support an environment with different version of WLC. Here is an ACL that works for both the android devices and Chromebooks:
If the ACL is used for Android devices only and not for Chromebooks, then last two ACE can be removed. If additional space for entry is needed then android.pool.ntp.org can also be replaced with an IP based ACE to allow NTP traffic.
For more information on the DNS ACL please check out the Cisco WLC 7.6 release note:
Hello,First, I'm not an expert in networking, I am a sysadmin.I have an access to our cisco ASA via ASDM GUI (v7.8) but can't get help from our network team to achieve what I need. I have 2 servers on private network (same subnet, serv1 192.168.0.1 a...
I've noticed that the installation of AMP enabler module in AnyConnect does not use the local machine proxy configuration no matter whether I configure the proxy in the AMP policy or not. Is there any way to force the connector to use the proxy? On those ...
Hi,after upgrade of FMC and firepower versions from 220.127.116.11 to v6.3.0 there is a health warning regarding FMC saying Security intelligence - module1 and module2 is out of date for the IP and URL list.I checked this troubleshoot guide https://www.cis...
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Dear Support CiscoHi build LAN to LAN VPN from draytek 2925 to Cisco ASA 5525-x using ipsec IKEV1The WAN IP address of CISCO ASA is 18.104.22.168, while LAN IP address is 172.16.17.0 /255.255.255.0The WAN1 IP address of Draytek 2925 is 22.214.171.124; while LAN I...