08-29-2013 06:47 AM - edited 03-10-2019 08:50 PM
Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?
08-29-2013 11:45 AM
Could you provide a screenshot of your authentication and authorization policies?
08-29-2013 11:51 AM
Sure.
Authentication:
and
Authorization (not complete):
I've truncated them, but it is hitting the rules.
08-29-2013 11:56 AM
The weird thing is we haven't touched any of the policies since the BYOD was in place and working, other than the upgrade of the server to 1.2. We see that redirect on the client. We do have it set to automatically update the NSP, so the NSP would be updated since the upgrade, but that is about it.
08-30-2013 08:01 AM
Well, I figured out part of the problem. This was a controller that didn't have the captive portal disabled. I tested with a windows PC and it is working fine. Now the problem is iOS devices cant get certs from the CA (windows PCs are working fine though). I will start a new thread.
08-31-2013 05:25 PM
Please update the patch useing the below details and try it.
To upload offline client provisioning resources, complete the following steps:
Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
Choose from the following Off-Line Installation Packages available for download:
•win_spw-
•mac-spw-
•compliancemodule-
•macagent-
•nacagent-
•webagent-
Step 3 Click Download or Add to Cart.
09-02-2013 01:30 PM
Please go through the steps as the user guide. Page 303,326 & 447 information will help you to solve the problem.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ug.pdf
09-02-2013 02:05 PM
Yes, I've been back through the guide. It is weird as it only seems to affect the iOS clients. The windows clients are working fine.
10-30-2013 01:11 PM
I'm having similar issues. It seems that the Documenation has been updated on Oct 25, 2013, so the relative pages, p303, p326, p447 references are meaningless.
There are issues with Cisco WLCs (5508, for one) with iOS 7.02 devices. The fix is to install 7.4.115.
11-25-2013 06:56 AM
One caveat regarding the WLC 7.4.115 upgrade. Seems it is capable of disabling antennas, as well as enabling MAC Filtering, as I recall. I was sending everything via PEAP, but ISE was rejecting PAP, as not allowed.
09-02-2013 11:30 PM
Hi
Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and type of agent(s) defined in the policy.
Remember that the client provisioning agent installer download requires the following:
The user must allow the ActiveX installer in the browser session the first time an agent is installed on the client machine. (The client provisioning download page prompts for this.)
09-03-2013 05:01 AM
I resubmitted this. The loop was due to auto-login, need to change the configuration on the controller to resolve that part. Provistioning works fine for windows clients, the problem is iOS clients. I will go over everything again, but I think I'm hitting a bug. I'm going to try creating a new NSP to see if that makes a difference when I get onsite.
11-25-2013 02:28 AM
I'm having the same issue here. In 1.1.4 the NSP is working but now after upgrade to 1.2 (with the latest patch) it's not working anymore for iOS and android. Both mobile phones are not receiving the user certificate. I checked the CA and I see that CA has issued the certificate.
Does anyone ever find out the workaround or resolution for this?
In android case, network setup assistant successfully run but I don't know if they manage to get the user certificate successfully or not since we can't see android certificate store..
In iOS case, only ise certificate is installed. It never prompts the user certificate
11-25-2013 07:57 PM
Have you tried changing the Client Provisioning Policy to the latest wizard for 1.2?
11-26-2013 05:57 AM
yes client provisioning is also upgraded but not working
it seems like something breaks the certificate provisioning
the phones managed to install both CA and ISE certificates but not the user certificates
strangely all windows laptop is not affected by this..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: