Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3192
Views
0
Helpful
5
Replies

ISE 1.2 - Self-Provisioned devices still in pending registration status

Luigi Gangitano
Level 1
Level 1

‎10-25-2013 08:23 AM - edited ‎03-10-2019 09:02 PM

Hi everybody,

I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:

  1. first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
  2. at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
  3. single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.

I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.

Can you please help?

Regards,

L

Labels:
0 Helpful
5 Replies 5

blenka
Level 3
Level 3

‎10-29-2013 04:45 PM

Kindly find the link below for the steps to configure self-provisioning & verify the same.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

Allowing Employees to Register Personal Devices Using Native Supplicants

0 Helpful

Kevin Mast
Level 4
Level 4

‎02-17-2014 07:35 AM

L

Did you ever find an answer to the Device Registration Status field sitting in pending? I have a similar issue and will most likely open a tac case as I can't find much online.  The self provisioning flow seems to be working I get my EAP-TLS cert & profile installed,  gets placed in registered endpoints group, and the BYOD registration flag gets set.  I have the required access to the network as well, but the flag never changes in ISE.

Thanks,

Kevin

0 Helpful

Luigi Gangitano
Level 1
Level 1
In response to Kevin Mast

‎02-17-2014 09:01 AM

Hi Kevin,

I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).

Please let me know if you open a TAC case, what is the answer.

Regards,

L

0 Helpful

rudenko.alexander
Level 1
Level 1
In response to Luigi Gangitano

‎04-22-2014 08:12 AM

Hi I've faced the same issue and tshooting is going with no success.

Have you fixed the issue?

0 Helpful

Luigi Gangitano
Level 1
Level 1
In response to rudenko.alexander

‎04-22-2014 10:17 AM

It seems to be fixed in subsequent patches. Around patch4 I started getting correct results at the end of self-provisioning and had to change policies accordingly.

I suggest you upgrade to the lastest patch and check if everything is ok.

0 Helpful
Customers Also Viewed These Support Documents