IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working
Hi there guys ,
I was wondering if anybody else have the following problem:
Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
ISE is version 1.2.1.198 patch 2. WLC is running 8.0.102.14.
Anybody experienced the same?
MB
I am also running ISE 1.2.1.198 patch 2 with 8.0.100. I am testing with an iPad running IOS 8.1. The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe. It is getting profiled as a workstation even though all apple device profiles are enabled. I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment. I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile. I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal ISE is not able to apply an access policy to your log-in session at this time. Please close this browser, wait approximately one minute, and try to connect again". It gives this message over and over. If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.
Similar Messages
-
IOS 8.0 our apple users and CISCO ISE customized portal [SOLVED]
Hi there guys ,
i wondering why after the update to iOS 8.0 our apple users , cannot
make it to the ISE authentication Portal , we make em connect thru a WLC wich
is redirecting to ISE ( radius server ) the web-auth process,
while if we use the internal portal (PIC2) of wlc 5508 the all process going well
after the update to 8.0 apple IOS , devices can't reach our customized portal
no more.....
anybody experienced the same?
BR
EugenioGlad you got it working and good job on finding a solution to your problem (+5 from me). Also, thank you for taking the time to come back and share it.
If your issue is resolved you should mark the thread as "Answered" :)
One thing to also consider is CWA (Central Web Auth) instead of what you are doing which is LWA (Local Web Auth). It is always better to do CWA as there are many benefits to it.
Thank you for rating helpful posts! -
I just updated the software on my Apple TV, and now the closed captioning is not working. Somebody had the same problem? Anybody knows how to fix it?
I just updated the software on my Apple TV, and now the closed captioning is not working. Somebody had the same problem? Anybody knows how to fix it?
-
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Cisco Ise Central Web authentication not working
Hello Guys,
CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
What might be the possible problem of this.?
thanksKindly review the below links:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
I am currently using Verizon Fios as my ISP. I had my mail set up as verizon yahoo mail. I was attempting to set up my iPad mini to get my mail under apple mail. I have that working under my iMac, iPad, and apple notebook. I have not been able to get it to sync on the iPad mini. can you tell me the proper settings.
really your going to want to contact verizon to get the proper setting
-
My grandma is a new apple user and she needs help making an apple account.
my grandma is a new apple user and she needs help making an apple account.
She should call Apple support or visit the Genius Bar at an Apple store (make an appointment first at http://apple.com/retail). They will walk her through the process.
-
I'm a recently transformed "Windows to Apple" user, and I need to run various Windows software. Before installing Windows, I would like to hear from experiences from users if it works well. Also, I have an "Office for PC" that I need to re-download, however I was advised by someone that this software cannot be downloaded even if I had Windows in my MAC and that I will have to buy a new "Office for MAC" software. Thanks.
Yes, what you are looking at will work.
"Most of this would be for access to the shared folders which is not the same as RDP, correct? So i could
have myself connect from school to pull a word document, my friend connect from home to get the excel spreadsheet for our table top gaming, and my family connect to pull pictures from the shared folder on the server all at the same time. Because they
are accessing the shared folders it is not a RDP where they are accessing the server itself for administration."
This statement is correct. All of them would be able to be accessing the shared folders at the same time. This is the purpose of shared folders.
"the 1 user and RDP part is where I'm getting a little confused i think.
For the RDP part I thought that only applied to the server itself and not any of the client computers
connected to the server. So you are still limited to the 2 users to connect concurrently to the server or a client computer at any time?"
Sorry, not trying to confuse you. You mentioned to connect to a local machine at the same time. If you are staying away from RDP, then you won't have this issue. I would keep all shared folders on the server, not on any workstations.
You are correct 2 people can be RDP into a server at once. For client computers (workstations) you are limited to 1 person at a time. If you setup Anywhere Access correctly, then your friends and family should not need to RDP into a
client computer, they should only need to access the shared folders.
Something to keep in mind...for Anywhere Access to work, you will need to purchase a public certificate. You can do this from GoDaddy.com, Comodo or others. I would recommend either Godaddy or comodo. They make it easy and give plenty of instructions
on how to obtain the certificate. You will probably also have to purchase a domain name, and a static IP from your ISP. To fully do what you are looking at, it will take some out of pocket $$. -
I am a new Apple user and had a visitor, with an iPad, at my house. I noticed the response time slowed greatly. I have a Linksys N router and wondered if I need an Apple router to allow the speed to be consistent.
I am a new Apple user and had a visitor, with an iPad, at my house. I noticed the response time slowed greatly. I have a Linksys N router and wondered if I need an Apple router to allow the speed to be consistent.
-
Has anyone done an integration of Meraki Systems Manager enterprise MDM and Cisco ISE? there is absolutely no documentation on the subject except for the Meraki announcement that lists:
Cisco Identity Services Engine (ISE) integration – allows Systems Manager to directly communicate with ISE for device enrollment and posture assessmentHidden in the Meraki blog is this configuration guide for Meraki SM and ISE.
https://www.dropbox.com/s/4pd2acrni9w9rjr/Meraki%20Wirelessv5.pdf
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
I am using iPhone 4s with no sim card. My WiFi turned grey and isn't working. I've tried many methods like freezing and Resetting the network settings, still not working. Now what should I do? (iOS 7.1.2)
Put in a micro SIM (SIM need not be active) and
Restore from backup
Restore as new
http://support.apple.com/en-us/HT201252 -
When I try to sign in with my Apple ID and password, it says I can not sign in. To check my network connection and try again.
I am connected to my home wifi network. Why can't I sign in??Not sure, but iAd Producer probably has nothing to do with this.
Did you try posting in a forum that discusses iPhone, or FaceTime, or networking?
I searched and this looks like the best fit : https://discussions.apple.com/community/iphone/using_iphone
-M -
I bought an IR receiver and an Apple Remote, and I can't get it to work. What am I doing wrong? The receiver is a Lenovo eHome OVU430006/01 USB IR Receiver.
Hello,
You would need to pair the Apple Remote with the receiver. So I would use the generic Mac/PC receiver and follow these instructions:
http://support.apple.com/kb/HT1619
If that doesn't work then check in System Profiler to see if the IR receiver has been recognized by the PowerBook's hardware. You may require the install of drivers for this device to be recognized.
Best of luck -
I had a repair done on my MacBook Pro and had to have a new hard drive installed. The Apple Auth Repair Shop then updated the OS from 10.6.8 to 10.7.5. Now my iPhoto v 9.2.3 will not open and it sounds like it will not work with this OS. Can you please advise?
You may need many other updates to retain compatibility with Lion. I suggest you reinstall Snow Leopard. Unfortunately, you will need to erase the drive first. Be sure to backup your data if you haven't done so already.
Clean Install of Snow Leopard
Be sure to make a backup first because the following procedure will erase
the drive and everything on it.
1. Boot the computer using the Snow Leopard Installer Disc or the Disc 1 that came
with your computer. Insert the disc into the optical drive and restart the computer.
After the chime press and hold down the "C" key. Release the key when you see
a small spinning gear appear below the dark gray Apple logo.
2. After the installer loads select your language and click on the Continue
button. When the menu bar appears select Disk Utility from the Utilities menu.
After DU loads select the hard drive entry from the left side list (mfgr.'s ID and drive
size.) Click on the Partition tab in the DU main window. Set the number of
partitions to one (1) from the Partitions drop down menu, click on Options button
and select GUID, click on OK, then set the format type to MacOS Extended
(Journaled, if supported), then click on the Apply button.
3. When the formatting has completed quit DU and return to the installer. Proceed
with the OS X installation and follow the directions included with the installer.
4. When the installation has completed your computer will Restart into the Setup
Assistant. After you finish Setup Assistant will complete the installation after which
you will be running a fresh install of OS X. You can now begin the update process
by opening Software Update and installing all recommended updates to bring your
installation current.
Download and install Mac OS X 10.6.8 Update Combo v1.1. -
I backed up my iphone 4 and did an upgrade and changed my Apple ID and password but my phone has not recognised the new ID to upgrade my apps via the iphone. How do I get rid of the old Apple ID when it comes to upgrading apps.
I have been into setting>store and signed out and signed back in and it still asks for old ID and password.Everything you've had up to now has been tied to your old Apple ID. You cannot switch it over to a new Apple ID. You should contact iTunes support to help you with this:
Apple Store Customer Service at 1-800-676-2775 or visit online Help for more information.
To contact product and tech support visit online support site.
For Mac App Store: Mac App Store Customer Service.
For iTunes: Apple Support for iTunes - Contact Us
Maybe you are looking for
-
JSF, NetBeans and customizing of Standard Validation Errors
Hello together, i want to use german Standard Validation Errors via a own .properties File: 1. Here is my faces-config.xml ( the entries are uncommented ! ): <faces-config> <application> <locale-config> <default-locale>de</default-locale> <supported-
-
We would like to get all information accidently downloaded to the ipod off of it as well as stopping the computer from recognizing the device as "donnie". I already tried restoring the ipod but it didnt seem to work.
-
Hi, I have a big sql file which contains a lot of insert statements and one of the columns which contains customer details the value can be 'Mr & Mrs xxx'. when i am running this from SQl*PLUS whenever the insert statement with a value like this come
-
Hi, I have a sql which loads a table (84 million rows) across the network from one instance to another in another server. How do I know the elapsed time during loading? ( I know this sql takes over 2 hrs to copy the table. But at any given (the sql r
-
Hi I am printing statement of customer using sap script. My requirement is i need to print the address in chinese character. i am printing for customer number 231040 This customer address(Version c) is maintained in ADRC table Coding for address wind