Introduction
It wouldn't be a new ISE release without a bunch of changes (read: problems) with Android BYOD. We are still stuck using Cisco Network Setup Assistant to issue the BYOD certificate from ISE to the Android device and to automatically configure the network settings on the device and this time around there has been a change regarding how the Android devices make the certificate request.
In ISE 2.2 (when using the Network Setup Assistant app version 2.2.X and Android version 6.0, 7.0 or newer) during the onboarding process, the Android device will make a certificate request directly to the ISE-server using the Enrollment over Secure Transport (EST) protocol.
Due to this change, the firewall port that has to be open between the Android device and the ISE-server has changed as well to port TCP 8084.
Below is a piece of information from an Android device log which can be found in the folder "/sdcards/downloads/spw.log".
2017.04.23 18:23:12 INFO:EST Server =ise01.labb.local
2017.04.23 18:23:12 INFO:EST Server port =8084
2017.04.23 18:23:12 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED
2017.04.23 18:23:34 INFO:Making SCEP call
2017.04.23 18:23:34 INFO:Generating RSA key with key size: 2048
2017.04.23 18:23:54 INFO:Generating RSA key with key size: 2048
2017.04.23 18:23:56 INFO:Going to call EST server with args: cn = jacfre@labb.local, un= jacfre@labb.local, sn= jacfre@labb.local, sp =8084, cur= P-384, ca_certs length = 8486
In this log, we can see that EST is being used and that the port it uses to communicate is 8084.
To take care of this EST-CSR request we simply need a rule in ISE to permit the request when it shows up in ISE. Depending on how you have structured your set of rules you may need to create a completely new top-level condition to catch the request. This is because the request isn't caught in rules using MAB or Wireless Dot1X as matching conditions, which a lot of deployments are based on.
In this EST-CSR sent from the Android device to ISE, there are two values that we can use to get a match in our rules. All we need to do is to grant a PermitAccess whenever the EST-CSR is sent to ISE. We only need to use one of these values but they are both shown below.
Network Access:NetworkDeviceName EQUALS ISE_EST_Local_Host
Cisco:cisco-av-pair EQUALS est-csr-request=true
As you can see, I have created a new top-level policy set called ISE-EST-CSR which uses the NetworkDeviceName condition to catch the request. It then uses pretty much the same condition to simply grant PermitAccess. The actual step on the Android device to make this EST-CST request happened during the NSA on-boarding after you have pressed "START". The app will ask you to input a password, which should be the same password you used to log into the BYOD portal.
An important note when you are looking at the EST-CSR request taking place in the ISE Live Log, you have to search based on the username of the connecting user/device. You cannot search using the MAC address because then it won't show up. This is because the Android device communicates directly with ISE (most likely from another subnet) which means ISE will not be aware of the MAC address in this case.
Cisco has published a video on YouTube showing more in-depth about these changes.