Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
10
Helpful
4
Replies

Problems with BYOD onboarding with ISE 1.3 Internal CA

west33637
Level 1
Level 1

‎04-29-2015 08:07 AM - edited ‎03-10-2019 10:41 PM

This implementation is leveraging the ISE 1.3 internal CA to enroll certs to authenticated BYOD users. The authentication/authorization profiles and policies are configured for wireless supplicant provisioning for AD authenticated IOS and Android devices.

•             When the test BYOD user with AD credentials tries to log in, they get redirected to the ISE BYOD provisioning portal.
•             They get to step 3 and successfully install the ISE certificate.
•             They then get a prompt to install the profile service (enroll an identity cert and load the wireless profile). This attempts to install for about 30 seconds and then fails with a message – ‘Profile installation Failed’ The request timed out.

The only thing I noticed that may possibly be an issue is that they are using a wild card cert signed by digicert for the ISE identity cert. Or maybe something else needs to allowed in the provisioning ACL?

I appreciate any assistance on this.

 

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎05-04-2015 12:16 AM

A few questions here:

1. Is this for wired or wireless BYOD

2. What version of ISE and Controller / Switch are you running

3. Post a screen shot of the Client Provisioning ACL

4. Post a screenshot of your AAA policies in ISE

 

The wildcard cert should not be OK as that will only be used for the HTTPs portion of the request while the EAP session would be based on the ISE CA cert. 

 

Thank you for rating helpful posts!

0 Helpful

west33637
Level 1
Level 1
In response to nspasov

‎06-28-2015 11:02 PM

The primary and secondary nodes both had the same CN '*.example.com'. We were using a wild card certificate for the deployment so both had the same CN. At first, in the CSR request I tried requesting different CNs for each node and adding the wild card as a DNS name to the SAN in the request - per Cisco's recommendations. But Digicert kept giving me certs with '*.example.com' as the CN. This continued to cause intermittent problems with BYOD onboarding until we escalated the issue with Digicert and got them to change the CN names to unique names on each node (ise1.example.com and ise2.example.com) and add the wildcard to the SAN. This resolved the issue.

nspasov
Cisco Employee
Cisco Employee
In response to west33637

‎06-29-2015 11:28 AM

Good job on solving the issue and taking the time to come back and post the resolution here (+5 from me). But yes, having a wildcard entry in the CN would cause issue for Microsoft based clients since they do not support wildcard certs for EAP based authentications. The workaround is to have the cert provider place the wildcard entry in the SAN field (Exactly what you did) :)

Now, since your issue is resolved, you should mark the thread as "answered" :)

 

Thank you for rating helpful posts!

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎05-26-2015 02:14 AM

this can be issue with client provision ACL ...share ACL and ise  operations detail report

0 Helpful
Customers Also Viewed These Support Documents