BYOD Onboarding issue with Redirects on ISE 1.2

Similar Messages

• Issue with redirection using Document ID

  Hi All,
  I have a library with unique permission set, if a user who does not have access to the library tries to access a URL which has the document id (https://domainname/sites/Test1/_layouts/15/DocIdRedir.aspx?ID=UMZ2EEKCF25S-37-4), it gives the following message
  "No documents with the
  ID UMZ2EEKCF25S-37-4
  were found in this site collection" eventhough the item exist in the site collection. After giving View Only permission level to the user for the library, the DOC ID url gives access denied message as expected but the user get permission to View all the
  items in the library
  We have built a SP search based solution using DOC ID for redirection to a particular item in the library. It is misleading if it shows
  "No document with the ID found".
  Please help me on this.

  The issue is if a User who does not have permission (Permission is None, have set unique permission level) to access to a Library  item with the Document ID, then it gives the message "No
  documents with the ID UMZ2EEKCF25S-37-4were
  found in this site collection" though the Item exists in the Site/Library. This message is quite misleading since the item actually exists in the Site.
  I expect the message to be
  "Access denied".
  If I give user the permission
  "View Items  -  View
  items in lists and documents in document libraries",
  then it gives access denied message. If I give the permission "Open Items  -  View the source of documents with server-side file handlers."
  then it actually opens the Item.

• Log in issue with redirect

  I just deployed my app onto my computer and my co-workers systems. All were able to install. However, about half when the open the app and have to login to SharePoint Online get stuck at the login screen after they enter their email and it starts to redirects
  them to the company's corporate login and just sits there and never progresses. When I had this issues in development I just did a restore for windows 8 however, this cannot be the only resolution. Anyone else have this issue?

  Compare the "trusted sites" list in IE on machines that work, and those that don't work. You may need to add something to "trusted sites". Sorry to be vague, but on the MS corp network we sometimes see a similar problem.

• Redirection issues with 2 computers

  Hey friends,I'm unsure of where to turn at this point and any ideas would be appreciated.tl;dr - 2 different computers (1 brand new, 1 old) redirecting to ads after scanning, not sure what else to do
  PROBLEM
  I have a computer in a clinic that is having an issue with redirecting the user to various ads. I originally thought this was perhaps a redirect virus. I ran a number of scans (Malwarebytes, SuperAntiSpyware, MSE, and SpyBot I think) for it to locate and remove a number of security issues.
  After the scanning, the problem still remains. Instead of spending more time working on this computer, I installed a brand new one right out of the box. I updated the computer at our main office location (no issues with redirection at this point) and then took the new PC to the clinic, only for the new PC to redirect to the same ads. I began to...
  This topic first appeared in the Spiceworks Community

  I can't remember the exact solution, but I helped a friend who was having a similar problem. He had previously been directly connected to Sympatico. I had to change a network option to basically tell the iBook to just talk to the D-Link DI-524 directly. (In other words remove all of the Sympatic stuff.) If you haven't previously used Sympatico this may not help.

• Problems with BYOD onboarding with ISE 1.3 Internal CA

  This implementation is leveraging the ISE 1.3 internal CA to enroll certs to authenticated BYOD users. The authentication/authorization profiles and policies are configured for wireless supplicant provisioning for AD authenticated IOS and Android devices.
  •             When the test BYOD user with AD credentials tries to log in, they get redirected to the ISE BYOD provisioning portal.
  •             They get to step 3 and successfully install the ISE certificate.
  •             They then get a prompt to install the profile service (enroll an identity cert and load the wireless profile). This attempts to install for about 30 seconds and then fails with a message – ‘Profile installation Failed’ The request timed out.
  The only thing I noticed that may possibly be an issue is that they are using a wild card cert signed by digicert for the ISE identity cert. Or maybe something else needs to allowed in the provisioning ACL?
  I appreciate any assistance on this.

  A few questions here:
  1. Is this for wired or wireless BYOD
  2. What version of ISE and Controller / Switch are you running
  3. Post a screen shot of the Client Provisioning ACL
  4. Post a screenshot of your AAA policies in ISE
  The wildcard cert should not be OK as that will only be used for the HTTPs portion of the request while the EAP session would be based on the ISE CA cert. 
  Thank you for rating helpful posts!

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Issue with normal page link redirecting to SSO page / forbidden page

  Hi,
  I am having an issue with a number of pages within my portal.
  I have a 'List of Objects' that has been working for some time, each link in the list linked to another page.
  Just lately a number of pages that are linked to within this list are not loading correctly.
  When one of the items is selected, the correct page is initially displayed, but then after a couple of seconds the page is redirected to the 'Single Sign-On' page, or alternatively the page is redirected to a 'Forbidden' page with this error:
  Forbidden
  You don't have permission to access /pls/orasso/orasso.wwsso_app_admin.ls_login on this server.
  (This page will also show up after the user tries to login when the page is redirected to the SSO page).
  As well as this issue occuring at the front end, the same issue is happening when the pages are loaded from the back end, in the Navigator.
  This issue is even happening when the page is opened up in 'edit' mode using the ORCLADMIN user.
  Any help is greatly appreciated!!
  Amanda.

  Figured it out...

• Issues with using the output redirection character with newer NXOS versions?

  Has anyone seen any issues with using the output redirection character with newer NXOS versions?
  Am receiving "Error 0x40870004 while copying."
  Simply copying a file from bootflash to tftp is ok.
  This occurs for both 3CDaemon and Tftpd32 softwares.
  Have tried it on multiple switches - same issue.
  Any known bugs?
  thanks!
  The following is an example of bad (NXOS4.1.1b) and good (SANOS3.2.1a)
  MDS2# sho ver | inc system
    system:    version 4.1(1b)
    system image file is:    bootflash:///m9200-s2ek9-mz.4.1.1b.bin
    system compile time:     10/7/2008 13:00:00 [10/11/2008 09:52:55]
  MDS2# sh int br > tftp://10.73.54.194
  Trying to connect to tftp server......
  Connection to server Established. Copying Started.....
  TFTP put operation failed:Access violation
  Error 0x40870004 while copying tftp://10.73.54.194/
  MDS2# copy bootflash:cpu_logfile tftp://10.73.54.194
  Trying to connect to tftp server......
  Connection to server Established. Copying Started.....
  |
  TFTP put operation was successful
  MDS2#
  ck-ci9216-001# sho ver | inc system
    system:    version 3.2(1a)
    system image file is:    bootflash:/m9200-ek9-mz.3.2.1a.bin
    system compile time:     9/25/2007 18:00:00 [10/06/2007 06:46:51]
  ck-ci9216-001# sh int br > tftp://10.73.54.194
  Trying to connect to tftp server......
  |
  TFTP put operation was successful

  Please check with new version of TFTPD 32 server. The error may be due to older version of TFPT server, the new version available solved this error. Files are getting uploaded with no issues.
  1. Download tftpd32b.zip from:
  http://tftpd32.jounin.net/tftpd32_download.html
  2. Copy the tftpd32b.zip file into an empty directory and extract it.
  3. Copy the file you want to transver into the directory containing tftpd32.exe.
  4. Run tftpd32.exe from that directory. The "Base Directory" field should show the path to the directory containing the file you want to transfer.
  At this point, the tftpserver is ready to begin serving files. As devices request files, the main tftpd32 window will log the requests.
  Best Regards...

• ISE Issue with DNS

  Hello Techies,
  I am facing challenge while configuring ISE to join AD. Domain Name lookup fails. DNS is working perfectly fine;
  nslookup works fine on ISE for simple domain names, but on long domain  names it fails while throwing the following error;
  ;; Truncated, retrying in TCP mode.
  ;; connection timed out; no servers could be reached
  Upon searching on google, may threads discuss that it a common issue with linux, when multiple IP's are returned for DNS query. Solution is to make static entries in;
  /etc/resolv.conf
  Not able to find it in ISE, as it does not give access to the OS. I am running it on VMware.
  Looking forward to get your valuable inputs to resolve this.
  Thanks

  Thanks for your response. Port 53(TCP) was opened on firewall & voila........nslookup was able to resolve the hostname.
  Now there is another challenge because of huge environment. Active Directory forest contains  more than 50+ child domain controllers. Policy is open for one particular hostname/ip. But authentication is not successful & ISE is not able to join domain. CISCO forums says that ports for all server should be open for ISE on the intermediate firewall, but it is a huge challenge for testing.
  While I tried to give the FQDN of specific server(from whom ports are open on firewall), it is not getting resolved again.
  Please sugeest

• HT1933 Following the instructions above, I'm constantly redirected to this help page rather than receiving any drop down list to select what my problem is. Are there any other ways to report issues with purchases?

  Following the instructions for reporting an issue with a purchase problem, when selecting "report a probelm", I am not provided with a drop down list, I am redirected to the help page instead.
  Is there any other way to report an issue where the app owner has taken the funds twice for the same product at literally the same time?

  To Contact iTunes Customer Service and request assistance
  Use this Link  >  Apple  Support  iTunes Store  Contact

• Select list with redirect - clearing field issue

  I'created an APEX page where there is 2 items. A Select list with redirect and a Text Field. Both have "Only when current value in session state is null" for "Source used". If some data has been written into the Text Field and I'm selecting someting from the Select List with redirect, the value of the Text Field is cleared.
  The page has no Computations, Validations, Processes or Branches.
  As you may guess, I want the the Text Field NOT be cleared.
  I know, that subject has been discussed over and over, but I'm all reading about it told me that "Source used" set to "Only when..." for the Text Field, it's suppose tol keep it's value.
  Could please someone explain me what I've not understood.
  Many thanks in advance.

  Thanks for helping me. In fact, my real problem is about a page where two select lists are needed. The first one shows CATEGORIES and the second one shows SUB-CATEGORIES, based on the value selected at the first select list. Since there is other fields on the page and the data has not been saved yet (other fields afterwards and validations anyway), data entered has to be kept until the user click "Save" button and all the validations are ok. I was expecting to solve the issue by using "Select list with redirect" for CATEGORIES (this is the only way I was able to make SUB-CATEGORIES works) and having all my fields "Source used" set to "Only when...".
  So, can someone told me if "Select list with redirect" is the way to solve my problem or should I use something else?

• Issues with cross-site CAS redirect of OWA users

  Hi,
  I am having an issue with our CAS servers, possibly since upgrading to SP3 (I am not 100% if the upgrade caused it). We are currently on Exchange 2010 SP3 RU4.
  I have tested logging into OWA on each CAS server with a mailbox from the same site as the CAS, and it works fine.
  But if I am using a mailbox from the opposing site, I get this scenario:
  1. User reaches site 1 CAS server
  2. User logs into site 1 CAS server with a site 2 mailbox
  3. Site 1 CAS server redirects the user to another form authentication on a site 2 CAS with this URL:
  https://Site2CAS.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fSite2CAS.domain.com%2fowa%2fping.owa
  4. User again fills out the form to log in
  5. User gets a blank page with this URL:
  https://Site2CAS.domain.com/owa/ping.owa
  The workaround is that the user then can get their inbox page to load by deleting out the "ping.owa" from the URL. But obviously this is not the intended user experience.
  The redirect would apparently work fine if it wasn't for the addition of this "ping.owa" to the URL. Although I would prefer the user only have to fill the forms authentication out once, the main problem is the blank page.
  Thanks

  Rule of the GAME
  For scenario:
  CAS Array in Internet Facing AD Site and CAS Array in non Internet facing AD site
   It will be CAS Proxy and NOT Redirection
  TO force exchange to use Redirection only, set external URL in non Internet facing site CAS as $Null
  Internet Facing Site
  Internal URL= CAS NLB internal FQDN for that site CAS Array
  External URL= CAS NLB Alias published in external DNS
  Authentication= Form Based with Basic Auth
  Non Internet Facing Site
  Internal URL= CAS NLB internal FQDN for that site CAS array
  External URL= Null
  Authentication= NON Form Based (Integrated Windows Auth)
  Thats All
  Understanding Proxying and Redirection
  http://technet.microsoft.com/en-us/library/bb310763(v=exchg.141).aspx
  Thanks,
  Soumen
  Soumen Ghosh

• Guest access with CWA on ISE

  Hi support community
  we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.
  so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?
  Many thanks in advance...

  Hi, thanks for answering...
  Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).
  however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...
  thanks

• VPP Distribution issues with OSX Server Profile Manager

  Hi, I have a new issue with my OSX 10.9.5 Server. I use VPP to distribute apps to users devices, when I would add a new user I would send them an invitation message through /profilemanager . All was working well until recenetly , the message still arrives in the users mailbox however when you click the "sign in" link on the "receive apps and books from xxxxx" email instead of opening through the Mac App store app it now opens Safari and connects to the profile manager server , any ideas ? it never has done this before and although I thought it was a new feature or method I can not seem to resolve the issue.

  Hi if when you are redirected back to your Mac Server you enter the user name and password of the user you are trying to receive VPP apps for i.e the Open Directory credentials it will then open the App Store providing the credentials are correctly entered so it looks like an additional layer of security. The process is click on the link in the VPP invite email, this takes you to your Mac Server profile manager, log on with your OD account, App store then opens on your Mac like it used to.

• SSO logout issue with APEX

  I am trying to resolve the logout URL issue with our APEX application configured as a partner application with SSO. The partner application name is SSO_APEX and the logout URL is defined in partner application as
  http://OID_Server:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout where OID_Server is our OID server name.
  In the APEX application page, I tried to open the application that was imported from another apex server.
  Home>Application Builder>Application 107>Shared Components>Authentication Schemes
  SSO_Auth - current is
  &INFRA_NAME./pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=&SERVER_NAME./pls/htmldb/f?p=&APP_ID.
  The logout link is http://INFRA_NAME:7777/pls/orasso/ORASSO.wwsso_app_admin.ls_logout?p_done_url=http://SERVER_NAME/pls/cms/f?p=107 , The application is retrieving the INFRA_NAME and SERVER_NAME values from a database table and they correspond to the OID and 10g application servers respectively.
  The logout link should take it to the login page where the user will be prompted to enter login credentials again however it is currently taking to the above logout link page from APEX. It is not changing even though I specified a different logout link in partner application page. Moreover the check box beside SSO_APEX in the logout page is unchecked.
  The authentication scheme of application is overriding the partner application configuration. How can I make sure the logout is actually happening? Thanks in advance for any suggestions.
  Pavan.

  Scott,
  I am having the same issue, and have posted on another thread about this same thing. I know that's inappropriate to post the same thing in multiple threads, but I was searching the forum again today, and Pavan described exactly what I'm experiencing.
  We have been using SSO for about 4 years or so now, and haven't had logout issues. Our DBA at the time had written his own logout function for SSO where he invalidated the cookie with owa_cookie calls. It's worked until now. We have upgraded our database servers and all URLs referencing those servers are now in a different domain than our OAS server. Now the logic in the logout function is no longer invalidating the cookie for SSO (because it's in a different domain). SSO login and authentication still work, it's just the logout that does not.
  I'd like to just alter the logout URL to redirect to the OAS server for logout as you described. But here's what's happening. I press logout link, and it takes me to the OAS Single Sign-Off page where it shows the services it's logging you out of, but it doesn't automatically redirect (just sits there until I press the Return button).
  Is that expected (no automatic redirect)?
  And as Pavan mentioned, the Partner application name (APEX_SERVERNAME_SSO) doesn't show a checkmark next to it. If I go back to my application, I get right back in without being prompted for SSO (ie, not logging out successfully then).
  I know there are a lot of question marks here, but I'm not sure if there's something obvious I am missing or if there's something else I need to fix that I don't know about.
  Can you offer any guidance?
  Thank you for your time,
  Chris