Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4971
Views
5
Helpful
16
Replies

client provisioning not working on ISE after 1.2 Migration

SHANNON WYATT
Level 1
Level 1

‎08-29-2013 06:47 AM - edited ‎03-10-2019 08:50 PM

Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?

Labels:
0 Helpful
16 Replies 16

David Boos
Level 1
Level 1

‎08-29-2013 11:45 AM

Could you provide a screenshot of your authentication and authorization policies?

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to David Boos

‎08-29-2013 11:51 AM

Sure.

Authentication:

and

Authorization (not complete):

I've truncated them, but it is hitting the rules.

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to SHANNON WYATT

‎08-29-2013 11:56 AM

The weird thing is we haven't touched any of the policies since the BYOD was in place and working, other than the upgrade of the server to 1.2. We see that redirect on the client. We do have it set to automatically update the NSP, so the NSP would be updated since the upgrade, but that is about it.

0 Helpful

SHANNON WYATT
Level 1
Level 1

‎08-30-2013 08:01 AM

Well, I figured out part of the problem. This was a controller that didn't have the captive portal disabled. I tested with a windows PC and it is working fine. Now the problem is iOS devices cant get certs from the CA (windows PCs are working fine though). I will start a new thread.

0 Helpful

Naveen Kumar
Level 4
Level 4

‎08-31-2013 05:25 PM

Please update the patch useing the below details and try it.

To upload offline client provisioning resources, complete the following steps:

Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.

Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.

Choose from the following Off-Line Installation Packages available for download:

win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows

mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X

compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package

macagent--isebundle.zip — Off-Line Mac Agent Installation Package

nacagent--isebundle.zip — Off-Line NAC Agent Installation Package

webagent--isebundle.zip — Off-Line Web Agent Installation Package

Step 3 Click Download or Add to Cart.

blenka
Level 3
Level 3

‎09-02-2013 01:30 PM

Please go through the steps as the user guide. Page 303,326 & 447 information will help you to solve the problem.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ug.pdf

0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to blenka

‎09-02-2013 02:05 PM

Yes, I've been back through the guide. It is weird as it only seems to affect the iOS clients. The windows clients are working fine.

0 Helpful

David Fitzgerald
Level 1
Level 1
In response to blenka

‎10-30-2013 01:11 PM

I'm having similar issues.  It seems that the Documenation has been updated on Oct 25, 2013, so the relative pages, p303, p326, p447 references are meaningless.

There are issues with Cisco WLCs (5508, for one) with iOS 7.02 devices.  The fix is to install 7.4.115.

0 Helpful

David Fitzgerald
Level 1
Level 1
In response to David Fitzgerald

‎11-25-2013 06:56 AM

One caveat regarding the WLC 7.4.115 upgrade.  Seems it is capable of disabling antennas, as well as enabling MAC Filtering, as I recall. I was sending everything via PEAP, but ISE was rejecting PAP, as not allowed.

0 Helpful

Muhammad Munir
Level 5
Level 5

‎09-02-2013 11:30 PM

Hi

Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and type of agent(s) defined in the policy.   

Remember that the client provisioning agent installer download requires the following:

The user must allow the ActiveX installer in the browser session the first time an agent is installed on the client machine. (The client provisioning download page prompts for this.)

  • Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information.

  • Check the appropriate configuration in Policy > Authentication. This error happens when the identity source is configured for certificate-based authentication and received a password based authentication request.

  • Check the appropriate configuration in Policy > Authentication. This error happens when the identity source is configured for password-based authentication and received a certificate-based authentication request.

  • Check the connectivity between ISE and the NAD. Ensure that ISE is defined as the dynamic authorization client on NAD and that CoA is supported on device.
0 Helpful

SHANNON WYATT
Level 1
Level 1
In response to Muhammad Munir

‎09-03-2013 05:01 AM

I resubmitted this. The loop was due to auto-login, need to change the configuration on the controller to resolve that part. Provistioning works fine for windows clients, the problem is iOS clients. I will go over everything again, but I think I'm hitting a bug. I'm going to try creating a new NSP to see if that makes a difference when I get onsite.

0 Helpful

hranevuts
Level 1
Level 1
In response to SHANNON WYATT

‎11-25-2013 02:28 AM

I'm having the same issue here. In 1.1.4 the NSP is working but now after upgrade to 1.2 (with the latest patch) it's not working anymore for iOS and android. Both mobile phones are not receiving the user certificate.  I checked the CA and I see that CA has issued the certificate.

Does anyone ever find out the workaround or resolution for this?

In android case, network setup assistant successfully run but I don't know if they manage to get the user certificate successfully or not since we can't see android certificate store..

In iOS case, only ise certificate is installed. It never prompts the user certificate

0 Helpful

jgonzales2
Level 1
Level 1
In response to hranevuts

‎11-25-2013 07:57 PM

Have you tried changing the Client Provisioning Policy to the latest wizard for 1.2?

0 Helpful

hranevuts
Level 1
Level 1
In response to jgonzales2

‎11-26-2013 05:57 AM

yes client provisioning is also upgraded but not working

it seems like something breaks the certificate provisioning

the phones managed to install both CA and ISE certificates but not the user certificates

strangely all windows laptop is not affected by this..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents