04-29-2015 08:07 AM - edited 03-10-2019 10:41 PM
This implementation is leveraging the ISE 1.3 internal CA to enroll certs to authenticated BYOD users. The authentication/authorization profiles and policies are configured for wireless supplicant provisioning for AD authenticated IOS and Android devices.
• When the test BYOD user with AD credentials tries to log in, they get redirected to the ISE BYOD provisioning portal.
• They get to step 3 and successfully install the ISE certificate.
• They then get a prompt to install the profile service (enroll an identity cert and load the wireless profile). This attempts to install for about 30 seconds and then fails with a message – ‘Profile installation Failed’ The request timed out.
The only thing I noticed that may possibly be an issue is that they are using a wild card cert signed by digicert for the ISE identity cert. Or maybe something else needs to allowed in the provisioning ACL?
I appreciate any assistance on this.
05-04-2015 12:16 AM
A few questions here:
1. Is this for wired or wireless BYOD
2. What version of ISE and Controller / Switch are you running
3. Post a screen shot of the Client Provisioning ACL
4. Post a screenshot of your AAA policies in ISE
The wildcard cert should not be OK as that will only be used for the HTTPs portion of the request while the EAP session would be based on the ISE CA cert.
Thank you for rating helpful posts!
06-28-2015 11:02 PM
The primary and secondary nodes both had the same CN '*.example.com'. We were using a wild card certificate for the deployment so both had the same CN. At first, in the CSR request I tried requesting different CNs for each node and adding the wild card as a DNS name to the SAN in the request - per Cisco's recommendations. But Digicert kept giving me certs with '*.example.com' as the CN. This continued to cause intermittent problems with BYOD onboarding until we escalated the issue with Digicert and got them to change the CN names to unique names on each node (ise1.example.com and ise2.example.com) and add the wildcard to the SAN. This resolved the issue.
06-29-2015 11:28 AM
Good job on solving the issue and taking the time to come back and post the resolution here (+5 from me). But yes, having a wildcard entry in the CN would cause issue for Microsoft based clients since they do not support wildcard certs for EAP based authentications. The workaround is to have the cert provider place the wildcard entry in the SAN field (Exactly what you did) :)
Now, since your issue is resolved, you should mark the thread as "answered" :)
Thank you for rating helpful posts!
05-26-2015 02:14 AM
this can be issue with client provision ACL ...share ACL and ise operations detail report
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide