I’ve been working in my lab on the cert and supplicant provisioning process in ISE for iOS, Android, OSX, and Win platforms. There are various docs out and about but they all seem to have gaps. Maybe at some point I’ll write one or do a video tutorial. Anyway, one of the challenges has been related to getting Android devices to provision properly. In the process, I’ve been stuck a few times.
The first obstacle is related to getting the Cisco Network Setup Assistant downloaded so the provisioning process can take place. A typical webauth ACL is going to redirect everything but dns and access to the ISE server. Since the app you’re looking for has to be downloaded from the Google Play Store, you also have to allow access to that. I’m really hoping there is a better way than what I’ve found to work around this. Google could at any time change the IP (group of IPs) that resolve play.google.com. This presents a bit of a problem when setting up your ACL. For now, what I’ve found is that I just do an nslookup from my machine for play.google.com and use the results to populate my ACL. In my lab, I’m just using a /24 of the first three octets from the results since, so far, they’ve been identical. You could, of course, put each of the 6 addresses in /32 format individually.
The second obstacle I’ve run into is an error when trying to download the app. Sometimes the Cisco Network Setup Assistant just doesn’t complete the download. It will say “Error – package file is invalid.” So, here’s what I did to overcome that. Go to Settings->Applications->Manage Applications->All->Google Play Store and then click the Clear Data and Clear Cache buttons. I rebooted and then tried again with success.
Remember, if you have to, you can download the Cisco Network Setup Assistant via 3G/4G, then connect to the proper wifi network and launch the application. It’s not the way you’re supposed to have to do it for sure, but it is a little workaround until this gets a bit more fluid (or I come to a better understanding of how to do this right :)). So, you could download the app before you try to associate to the device registration network. Then, as you step through the process and the time comes for the app to download, you can just launch the app.
If you see any errors, or know of a better way to do something, please share!