Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 220.127.116.11 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?
Authorization (not complete):
I've truncated them, but it is hitting the rules.
The weird thing is we haven't touched any of the policies since the BYOD was in place and working, other than the upgrade of the server to 1.2. We see that redirect on the client. We do have it set to automatically update the NSP, so the NSP would be updated since the upgrade, but that is about it.
Well, I figured out part of the problem. This was a controller that didn't have the captive portal disabled. I tested with a windows PC and it is working fine. Now the problem is iOS devices cant get certs from the CA (windows PCs are working fine though). I will start a new thread.
Please update the patch useing the below details and try it.
To upload offline client provisioning resources, complete the following steps:
Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
Choose from the following Off-Line Installation Packages available for download:
Step 3 Click Download or Add to Cart.
Please go through the steps as the user guide. Page 303,326 & 447 information will help you to solve the problem.
Yes, I've been back through the guide. It is weird as it only seems to affect the iOS clients. The windows clients are working fine.
I'm having similar issues. It seems that the Documenation has been updated on Oct 25, 2013, so the relative pages, p303, p326, p447 references are meaningless.
There are issues with Cisco WLCs (5508, for one) with iOS 7.02 devices. The fix is to install 7.4.115.
One caveat regarding the WLC 7.4.115 upgrade. Seems it is capable of disabling antennas, as well as enabling MAC Filtering, as I recall. I was sending everything via PEAP, but ISE was rejecting PAP, as not allowed.
Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and type of agent(s) defined in the policy.
Remember that the client provisioning agent installer download requires the following:
The user must allow the ActiveX installer in the browser session the first time an agent is installed on the client machine. (The client provisioning download page prompts for this.)
I resubmitted this. The loop was due to auto-login, need to change the configuration on the controller to resolve that part. Provistioning works fine for windows clients, the problem is iOS clients. I will go over everything again, but I think I'm hitting a bug. I'm going to try creating a new NSP to see if that makes a difference when I get onsite.
I'm having the same issue here. In 1.1.4 the NSP is working but now after upgrade to 1.2 (with the latest patch) it's not working anymore for iOS and android. Both mobile phones are not receiving the user certificate. I checked the CA and I see that CA has issued the certificate.
Does anyone ever find out the workaround or resolution for this?
In android case, network setup assistant successfully run but I don't know if they manage to get the user certificate successfully or not since we can't see android certificate store..
In iOS case, only ise certificate is installed. It never prompts the user certificate
yes client provisioning is also upgraded but not working
it seems like something breaks the certificate provisioning
the phones managed to install both CA and ISE certificates but not the user certificates
strangely all windows laptop is not affected by this..
Has anyone managed to find a solution to this issue regarding Apple devices failingto provision once the ISE has been upgraded to 1.2 Patch 4. I am seeing it with Apple devices running both iOS 6 and 7 even though iOS 6 devices were working before the upgrade.
We did have problems but adding an ACL in our WLC to allow captive.apple.com through seemed to fix it.