Client provisioning issue

Similar Messages

• ISE , BYOD iphone issue!! client provisioning

  Guys, when i sent down a profile using native suplicant for iphone, iphone gets it but it does not automatically selects TLS on the SSID.
  Here is what happens:
  Iphone connects to BOYD-SSID
  credentials enter
  client provision process
  ** if Auto-Login is selected problem with self registration!!!!!!!!
  bunch of security errors, profile is downloaded
  iphone reconnects to BOYD_SSID with credentials initilly entered (therfor MSCHAPv) not TLS
  in client provisining cycle.
  NOW!!!!
  go back to BYOD-SSID and "forget the network", reconnect again, and manually selecting TLS and using the profile previously downloaded, and everything works!!!!
  Too many freaking steps for BYOD!!!! I can't have my client tell his employees to do that.
  ANy ideas.....

  Marcin,
  I have not had the problems you are discussing, what version of code are you running and I assume you are using the single-ssid method? In my experience I have seen where the new profile over-writes the old peap profile and after COA hits the client then uses eap-tls to connect.
  Can you provide screenshots of the experiences you are having?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• AE 5.1 - User provisioning issue - new user provisioned at end of request

  Hi All,
  re: AE 5.1 - User provisioning issue - new user provisioned at end of request when AE Config is set to NO
  We have an interesting issue. An Access Enforcer Change Request was initiated with the incorrect userID (the userID did not yet exist in the system) and that Change Request flowed through and made it to the end of the path. At the end of the path, it created a new userID (since the incorrect one was entered). However, we have the following AE Config:
  Auto Provisioning - Status: Auto Provsioning Type: "Auto Provision At End of Each Path"
  Auto Provisioning - Change Request: Create if user does not exist: "NO"
  Any ideas as to why the new userID was provisioned even though we have it set to "NO"?
  We are on AE v5.1, SP4.
  Thanks in advance!

  Gary,
  Similar kind of issue.,
  The Change User BAPI works differently than we normally think.
  It wipes off everything and reassign the modification.
  This I figured it in one of my implementation. You try add some roles to the user it wipes off all the roles and reassign the roles along with the new requested one's.
  The client is also in SP4 still they have issue.
  Will that not be good, AE checks for the ID before it actually submits the request.
  Thanks.
  Note : The issue mentioned by you doesnt exist in AE5.2
  Regards,
  Muthu Kumaran KG
  Edited by: Muthukumaran Krishnan Govindan on Mar 13, 2008 2:38 PM

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Client provisioning not working on ISE after 1.2 Migration

  Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?

  Please update the patch useing the below details and try it.
  To upload offline client provisioning resources, complete the following steps:
  Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
  Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
  Choose from the following Off-Line Installation Packages available for download:
  •win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows
  •mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X
  •compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package
  •macagent--isebundle.zip — Off-Line Mac Agent Installation Package
  •nacagent--isebundle.zip — Off-Line NAC Agent Installation Package
  •webagent--isebundle.zip — Off-Line Web Agent Installation Package
  Step 3 Click Download or Add to Cart.

• ISE 1.2 Client Provisioning Page Customization

  Hi All,
  Is it possible to customize Client Provisioning Page. We are using ISE version1.2
  I could see from switch port authentication sesssion that it is being redirected to guest portal with session ID.
  however on the host machine itself it gets redirected to a different URL.
  Regards
  Sameer

  please have a look on Configuring Client Provisioning guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_client_prov.html#wp1347894

• Cisco ISE 802.1X Client Provisioning

  Hi,
  I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
  1. 2 SSIDs, Guest and Employee
  2. Guest is open access
  3. Employee is 802.1x eap-peap (username/password)
  I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
  Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
  Any suggestion is appreciated.
  Thanks.

  Hi,
  Appreciate for the feedback.
  Thanks

• Cisco ISE (1.3) Posture without Client Provisioning

  Hello readers,
  Is it possible to set up Cisco ISE with posture without Client Provisioning?
  My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
  Regards,
  Dennis

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Client provisioning exception for guest flow - bug?

  hi all,
  I encounterd one problem with guest flow and client provisioning.
  Please if someone could confirm that this can or can't be done 
  I want to accomplish such a scenario:
  - AD user have to download the full nac agent
  - AD user from specific group when using webauthentication (as a fallback) doesn't need to downlaod webagent (so no posture at all - the default status is compliant)
  - all guest users need to download webagent
  It seems that it can't be done cause:
  First of all to make it work we need to enable "guest users should download the posture client"
  I created the "client provisioning policy" in a way that:
  If it is AD user and its not a guest flow (2) then NAC agent should be applied
  If it is a guest user webagent should be downloaded
  It works with an exception that when AD user logs in using webauthentication (guest portal), no download page is displayed (as expected) but instead of normal access there is a blank page with the following URL
  https://ise-nfr.sevenetdemo.local:8443/auth/CppSetup.action
  so it seems that even though there is no match in "client Provisioing Policy" (again, as expected) ISE still tries to redirect to the cpp portal as this checkbox in multiportal configuration says so.
  As a result no CoA is initiated to the switch and switch authentication hangs on the last default policy -  CWA_POSTURE_REMEDIATION
  Is it possible to do it?
  regards
  Przemek

  Please review the below links which might be helpful:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_client_prov.pdf

• Redirect from client provision to origin url

  hello
  Does anyone know if there is a way to redirect a user to home page from client provision portal?
  we using wired solution.
  the client PC have web browser automatically opens to home page when employees log in. and since we have posture configured to check the antivirus, the web browser be redirected to client provision portal. we would like to have the user redirected to the corporate home page after successfully NAC agent check.

  We finally used our custom login module to solve this.

• Supplicant Client Provisioning for Windows + NAC - is it supported?

  Hello,
  I'm testing out a scenario where it would be most interesting to be able to provision a windows laptop from connecting to a Guest SSID with it the wireless settings it would need to access a secure SSID where then it would be Posture assessed. Like when someone brings their laptop from home to work in the company, and you want to make sure the laptop is not carrying any bad stuff, while still assisting the user with its configuration..
  As the NAC provisioning rules and the supplicant provisioning rules are done from the same page, I'm having trouble being able to differentiate the initial supplicant client provisioning (SPW) and the posture verification done after the the association to the secure SSID.
  The choices that we have on the client provisioning pages seem to be too limited to do this.
  Can anyone confirm if this scenario is supported?
  Thanks for any insight
  Gustavo Novais

  Hi Tarik, I managed to do what I wanted - same client being provisioned and NAC'd in two steps, as you were suggesting.
  One limitation that I found though is that as soon as you mark a device as registered (part of RegisteredDevices endpoint group), you stop being able to distinguish an iPad from a Windows workstation, if both of them have been registered by the same user - both of them will belong to RegisteredDevices group (assuming initial registration via webguest portal), both of them will have the similar certificate (same common name) and profiling group matching will no longer work.
  Do you know if there is any workaround to it? - I can see the common case where people bring their laptop from home as well as their iPad.
  A possible way would be to register to two different devRegPortals (two different endpoint groups) depending on the initial profiling option, but I saw no option on the guest portal to be able to choose multiple devRegPortals only self provisioning flow. I guess the best possible way would be to not merge guest portal and provisioning portals and use different authZ rules depending on the initial profiling of the devices, on a separate SSID dedicated to provisioning.
  Thanks for your insight
  Gustavo Novais

• How to implement the Client Provisioning

  Hi all,
  I try to install an example of client provisioning, this is the guiline http://developers.sun.com/techtopics/mobility/midp/articles/provisioninggetstart/ But I have some troubles : I can't start J2EE's Cloudscape database, and I can't deploy with scipt "ant" (although build successful).
  web.ear:
  [copy] Copying 1 file to C:\Program Files\Java\j2ee_cp_ri_1_0\test\lib
  [java] java.lang.NoClassDefFoundError: com/sun/enterprise/tools/packager/Main
  [java] Exception in thread "main"
  BUILD FAILED
  file:C:/Program%20Files/Java/j2ee_cp_ri_1_0/test/build.xml:299: Java returned: 1
  Can you explain me more, please. My OS is Win xp pro, jDK 1.5, j2ee 1.4, apache_ant 1.5.1.
  Thanks.

  but my customors ask us to do that ,they are the fomal user of oracle ,can i get some support to do that ?

• Exchange 2010 SP3 Rollup 8v2 causes client connectivity issues

  I installed SP3 Rollup 8v2 this weekend, going from 7. Since then we are having random client connectivity issues. New profiles can't be created, and some users can't access resources when booking meetings. We can do a registry fix to their machines to add
  a DS Server, but this is a workaround only. I have uninstalled the Rollup 8v2 and we are still having the issue.
  I thought 8v2 was supposed to fix this issue!

  Hi,
  According to your post, I understand that outlook client cannot connect to Exchange server to configure profile and cannot get list of resources room when upgrade to Exchange 2010 SP3 Rollup 8v2, the temporary solution is that specify the DC in registry.
  If I misunderstand your concern, please do not hesitate to let me know.
  Is there error message when configure Outlook failed?
  Please run Test E-mail AutoConfiguration and Outlook connection status to double confirm the URL and FQDN of Exchange server.
  As additional, please run below command to double check the state of Exchange system component:
  Get-ServerComponentstate -Identity “servername”
  If the state is Inactive, please run below command to active relevant component:
  Set-ServerComponentState <Identity> -Component “component name” -Requester HealthAPI -State Active
  More details about Server Component States in Exchange, for your reference:
  http://blogs.technet.com/b/exchange/archive/2013/09/26/server-component-states-in-exchange-2013.aspx
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support