Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE 1.2 - Self-Provisioned devices still in pending registration status

Hi everybody,

I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:

  1. first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
  2. at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
  3. single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.

I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.

Can you please help?

Regards,

L

  • AAA Identity and NAC
Everyone's tags (3)
5 REPLIES
New Member

ISE 1.2 - Self-Provisioned devices still in pending registration

Kindly find the link below for the steps to configure self-provisioning & verify the same.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

Allowing Employees to Register Personal Devices Using Native Supplicants

New Member

ISE 1.2 - Self-Provisioned devices still in pending registration

L

Did you ever find an answer to the Device Registration Status field sitting in pending? I have a similar issue and will most likely open a tac case as I can't find much online.  The self provisioning flow seems to be working I get my EAP-TLS cert & profile installed,  gets placed in registered endpoints group, and the BYOD registration flag gets set.  I have the required access to the network as well, but the flag never changes in ISE.

Thanks,

Kevin

New Member

ISE 1.2 - Self-Provisioned devices still in pending registration

Hi Kevin,

I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).

Please let me know if you open a TAC case, what is the answer.

Regards,

L

New Member

Hi I've faced the same issue

Hi I've faced the same issue and tshooting is going with no success.

Have you fixed the issue?

New Member

It seems to be fixed in

It seems to be fixed in subsequent patches. Around patch4 I started getting correct results at the end of self-provisioning and had to change policies accordingly.

I suggest you upgrade to the lastest patch and check if everything is ok.

2287
Views
0
Helpful
5
Replies
This widget could not be displayed.