ISE 1.1.1 Android supplicant
Hi Folks,
I'm giving ISE 1.1.1 a go in the lab before I deploy it into our live wireless and I've hit a problem with the Android supplicant. I've finally gotten iOS to register and obtain the wireless profile, but when we try with an Android, the device registers and we download the supplicant software from the Google Play (so far so good) but once the software opens it starts the provisioning process and returns 'unable to locate server'. Looking at the registration flow, it would appear that its unable to relocate the ISE. Is there anything that I've missed? Our provisioning ACL on the WLC allows full access to the ISE, any DNS and any port 5228 (google play).
Any help would be amazing as its starting to drive me a bit crazy!
Thanks
Kev
Sent from Cisco Technical Support iPad App
Can you check your DNS again, try to access the Play Store from any Laptop browser.
May be your DNS cannot solve the Play Store either the DNS forwarder is not set properly.
DNS is very important for Identity Service Engine.
Cheers,
Pongsatorn M.
Similar Messages
-
ISE problem with EAP-TLS Supplicant Provisioning
Hi All,
I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software. The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate... 'device on-boarding'
The entire CWA / Device Registration process is all fine and works well. I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory. All of this works fine.
The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA. This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE. There doesn't seem to be any way to configure this behaviour within ISE.
Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
Cheers,
Richard
PS - Also using WinSPWizard 1.0.0.28Hi Richard,
This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
Istvan Segyik
Systems Engineer
Global Virtual Engineering
WW Partner Organization
Cisco Systems, Inc
Email: [email protected]
Work: +36 1 2254604
Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET) -
ISE deny access to Android devices
I have a customer who likes to deny access to any Android devices on its guest service. (The network has an anchor WLC, the authentication is set as LWA)
First I tried setting a simple AuthZ rule indicating "if Device-OS equals Android, then Deny Access"
Also tried setting a profiled group. Any device belonging to this Android devices group must be denied.
It appears the results were not consistent enough. On my first tests, a Galaxy smartphone was not allowed to pass after the AUP, but after some tries the user got access.
I think something may be missing in the config, as it appears the ISE is not recognizing the Device-OS. Any device is added to the profiled group.
Some idea to troubleshoot and fix this requirement?
RegardsI did a quick test enabling DHCP profiling on WLAN in the WLC. I couldn't did extensive tests because the DHCP appears to not working, so I needed to back. I don't understand why enabling this option affects the DHCP functionality ...
Unfortunately I can't do extensive tests on productive network, so I would need to be sure about which parameters to change.
In lab (not the same environment to test) I have seen the ISE is able to identify a Galaxy smartphone as Samsung Device (by RADIUS probe), I guess by the OUI Endpoint, and some minutes later as Android (by DHCP probe) ... So, I wonder if it is possible to define a priority or preference over which probe apply first ...
In the ISE Endpoint details I found this
User-Agent Mozilla/5.0 (Linux; U; Android 2.3.6; es-us; GT-I9070 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
I guess here is where the ISE learns from the device is an Android, right?
Regards ... -
ISE Wired Guest + user without supplicant and dynamic vlan change
Hi All,
I have two issues:
Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
Is this possible if the guest doesnt have a supplicant?One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell.. -
hi
i deployed ISE for BYOD and its working fine for windows and Apple devices. the issue is with android. sometimes i can register the devices in MY DEVICES portal and ISE will redirect me to download the network assistant tool. and sometimes it refuses to register the devices and its showing this error for some devices "unsupported operating system type encountered" and showing this error for the others "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator"
does anyone know how to solve this issue?
thanks in advance.Ok, so the obvious things for the first part of the problem are;
Is the Android Client using a supported OS? Check here;
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321
Are you using the latest Supplicant Provisioning plugins in ISE? And are you using the latest version of ISE?
Do the failing Clients have anything in common? Same hardware, OS Version, etc?
The second issue, where you get "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator" is typically caused by one of three things. Either your Client has been idle for too long and the session has timed out, the ISE hasn't been able to Profile your device yet (and so doesn't know how to provision it), or you haven't configured ISE with an Android Supplicant Provisioning config.
Finally, I've had that last problem before, albeit on a different handset, I missed some ports/protocols/hosts on my ACL -
ISE 1.2 IOS device re-auth (device drops WiFi)
My guest users use web-auth for authentication. An issue I've run into is that IOS devices drop WiFi during lock/sleep. This means if they were authenticated, then they will have to reconnect/reauthenticate to the SSID. I would like to find a way for these users to automatically reauthenticate (assuming they are still within their original session's timeout value). Think two hour meeting. Is there a way for me to set this up in ISE policy?
Something like:
IF user was authenticated within the session timeout value (6hrs)
THEN automatically let them back on without having to re-authenticate
Thanks.OK, I'm seeing a lot of "Correct Answer" type replies in another similar posting, but not a complete answer. I have a similar issue, but only on a 2504 running 7.4.110. I have two 5508s running 7.4.115, and they don't seem to have this issue, however I could be wrong. Also, I'm running ISE 1.2, patch 2, soon to be patch 3 with the 5508s. I no not yet have ISE working with the 2504, but that is coming. We're not running Flex-Connect.
My users are a mix of guest users via the ISE Sponsor Portal, and employees, who authenticate via Active Directory. I am having problems putting the specifications into user-friendly terms. If I have to add a Registration Portal, I need to be able to explain who would use it and under what situation(s)
So, I guess what I'm looking for is what is the minimum OS I should be running on each platform to support ISE, WebAuth, and Apple & Android devices.
I don't seem to have Security --> Local Policy on either of my builds, so I'm guessing that this was added in 7.5. Given ISE 1.2, is there some mimimal WLC builds I should be using. Alternatively, is there ANY reason to NOT upgrade to 7.6
Tarik's link seems to include ISE 1.1.1, so I'm not sure how applicable it is to ISE 1.2. I'm not opposed to using device registration for employee devices, but I do not believe I wishto do this for guest/sponsored devices. I am not planning on a full BYOD rollout, so I do not wish to complicate things with an advanced license. My understanding is that with AD integration, I probably don't need a MyDevices portal.
In short, I'd like guest devices to have to auth at most once per day, and employees should be good until their AD credential expires. Again, I thought I had this working on a pilot using WLC 5508s and 7.4.115, but this definitely is not working in WLC 2504 with 7.4.110.
The only other thing I'd want to to be able to put the guest devices on one VLAN/SSID and the employee devices on another, but that's not as important at this time. -
Machine +User Auth for windows endpoint autheticating through ISE
Hi
Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE. In Windows native supplicant there is option as
1) Machine OR user Auth
2) User Authentication
3) Machine Authentication
4) Guest authentication
I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.
Is there any way to achieve this functionality ...With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.
Here is the reference:
ISE release notes
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279
Anyconnect release notes
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871
Configuration of anyconnect -
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210
Tarik Admani
*Please rate helpful posts* -
Identity Services Engine and Blackberry Phones
Hello Community!
As you know, current ISE does not support native supplicant for client/end-user Blackberry mobile devices. Is there a way to manually configure ISE so Blackberry phones can connect to the wireless network?Configure Personal Device Registration Behavior
Use this function to specify how Cisco ISE should handle user login sessions via personal devices on which Cisco ISE cannot install a native supplicant provisioning wizard (For example, Research In Motion Blackberry devices).
Refer:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010110.html -
Unable to open the auth web of the ISE when pushing CA to Android phones
Hi GUYS,
I have got a problem when pushing CA to Android phones from Win 2008, i have already connected to my SSID and got the IP, then i open my browser and enter http://1.1.1.1, the web is redirected to the Device Self-regist like https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=nsp, however this website cannot be visited. my ACL in the WLC is correctly configured which has the access to my ISE like permit ip any host 10.10.10.70 and permit ip host 10.10.10.70 any. My authorization profile in ISE is configured as "Web authentication supplicant provision ACL 'my ACL'". Everything goes on for now is OK but the website of Device Self-regist cannot be visited.
My ISE version is as belows:
ise/admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.018
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise
Version information of installed applications
Cisco Identity Services Engine
Version : 1.1.3.124
Build Date : Thu Feb 7 06:55:38 2013
Install Date : Thu Mar 28 05:22:23 2013
ise/admin#
Can anyone help me with this? Thanks a lot!!!Hi guys,
I have resolved this.
My ise has been upgraded from version 1.1.1 to 1.1.3 several days ago. The URL in the 1.1.1 is like http://ise-111.demo.com/xxx while which in the 1.1.3 is like http://ise.demo.com, so i forgot to change the DNS resolution in my DNS server, and after that everything is OK now
Sent from Cisco Technical Support Android App -
Hi,
Anybody tried ISE Native Supplicant Provisioning with Android 5.0?
I have ISE 1.3 in production and I can do NSP on iPad iOS 8.0.2 and Nexus 7 Android KitKat 4.4.4 but the Cisco Network Setup Assistant app. doesn't work with Nexus 5 Android Lollipop 5.0
Looked at spw.log file in Download on the device and I see:
ERROR:At line 11, column 2: mismatched tag
ERROR:org.apache.harmony.xml.ExpatParser$ParseException: At line 11, column 2: mismatched tag
ERROR:Null config object from parser
INFO:Internal system error.
I opened a TAC and waiting for an update.
Thanks,
Patrick MoubarakAlthough the doc has not been updated yet, it works fine now.
Did a posture update in ISE and installed the newly released version 1.2.40 of Network Setup Assistant and put a PIN on the phone.
Patrick -
G'day All,
I am building a wireless ISE solution that will service laptops (windows and OSX) via posture assessment, and mobile devices such as iphone, ipad and android.
I looking for help with the profiling of the android devices. I am using the profiler radius and HTTP probes, the radius probe appears to be sufficient for the laptops and the iphone/ipads.
HTTP has been introduced for the Androids as the radius probe wasn't receiving the user agent string from all the test android devices, for example a Samsung Galaxy S3 phone would send the user agent string and be profiled correctly, where as a Samsung Note 10.1 tablet wouldn't send the user agent string, so would be profiled as an unknown device.
I was attempting to keep it as seamless as possible for the end user. So I am not using device registrations, supplicant provisioning, etc. Obviously the posture assessment process isn't exactly semless, but once the users have downloaded the NAC client, etc, it is pretty seamless from a user interaction point of view, then on.
From the apple devices and the androids, I have an authorisation policy that says if the device is a profiled iphone/ipad/android, use CWA and guest portal, users login via AD creadentials and accept the AUP and away they go. Some of the androids ignore this policy and then match on the policy for the laptops (posture assessment). Once connected and in posture pending status, the redirection to the NAC agent page fails, but the android is then profiled correctly via the HTTP probe. If I attempt to browse again, I get redirected to the guest portal via CWA as the devices has been profiled as an Android and the user can login, accept the AUP and away they go.
I'd love to hear from people who have implemented android profiling in the production environments, and how you have done it?
I am aware that not using device registrations/supplicant provision, etc isn't exactly validated design, but for the purpose of the Android profiling, it shouldn't be relevant.
I am presently using ise 1.1.3
Huge thanks in advanced guys, any assistance is always greatly appreciated.
Cheers,
JSI have ran into this scenario also and I shy away from using the http profiling on the wireless device sensor because it causes issues with applications that fail to include the typr of device.
Have you checked the dhcp client identifier? I think the android has an android specific string so you may want to bump up the certaintity factor.
Sent from Cisco Technical Support Android App -
MAC OS X unable to download Cisco ISE supplicant agent
Hi,
I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
I have summarized the issue as follows:
1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
3. MAC OS X 10.7 with safari and firefox --- unable to download agent but can login successfully on the Cisco ISE guest portal
4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
Any suggestions is appreciated.
Thanks.For Agent Download Issues on Client Machine
• Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
policy identity group, conditions, and type of agent(s) defined in the policy.
(Also ensure whether or not there is any agent profile configured under Policy >
Policy Elements > Results > Client Provisioning > Resources > Add > ISE
Posture Agent Profile, even a profile with all default values.)
• Try reauthenticating the client machine by bouncing the port on the access
switch.
Remember that the client provisioning agent installer download requires the following:
• The user must allow the ActiveX installer in the browser session the first time an agent is installed
on the client machine. (The client provisioning download page prompts for this.)
• The client machine must have Internet access.
Client Machine Operating Systems and Agent Support in Cisco ISE
Check the following link
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449 -
Android rejecting ISE's publicly-signed certificate?
We have recently deployed a VeriSign certificate on ISE for both HTTPS and EAP, it uses a corporate CA to generate and push out user certs. It seems to work on all devices but Android.
The Android device successfully completes onboarding process, but when it tries to connect using EAP-TLS, it fails and the following error shows on the ISE:
"Authentication failed: 12520 EAP-TLS filed SSL/TLS handshake because the client rejectd the ISE local-certificate"
It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices. I can't understand why would the client not trust validate the VeriSign certificate.
Has anyone seen this before? Does the client need a corporate root certificate chain to trust the user certificate it has been privisoned with? Could that be the problem?
The ISE is running v1.1.3 patch 1Hi
The error message means:
This is an indication that the client does not have or does not trust the Cisco ISE certificates.
For both the client/server certs, If there are multiple levels in the cert chain (Intermediate certs) and if so, you need to make sure that intermediate
certs been installed in ISE and in the client machine as well.
- Could you provide me the model and make of the supplicant, you have been facing issue with? Is it Android 4.1.x. Also is it happening with justone client or with all of the clients?
I would strongly suggest you to install all the chain certs in both ISE and CLIENT ,test it and let me know if it helped.
Regards
Minakshi (Do rate the helpful posts ) -
ISE 1.2, Supplicant configured for 802.1x but need to MAB
I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
Thanks in advanceMaybe the held-period and quite-period parameters would help. I would not change the TX period to anything shorter than 10 seconds. Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds.
Read this doc for best pratices including the timers listed below.
I hope this link works. http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
If not goto www.ciscolive365.com (signup if you havn't already) and search for
"BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
Change the dot1x hold, quiet, and ratelimit-period to 300.
held-period seconds
Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
quiet-period seconds
Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
ratelimit-period seconds
Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled. -
ISE 1.2 - MAB Guest and MAB Supplicant Provisioning
In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
MAB > CWA Redirect (AD credentials) > "2nd Auth" = NSP RedirectPlease disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
Thanks
Maybe you are looking for
-
Parent child Hierarchy in OBIEE 10G
Hi, I want to implement the parent child hierarchy in OBIEE 10g where I need to show people working under manager directly and indirectly. Please let me know as users doesn't want to drill the report but by selecting the option from the drop down Dir
-
Scheduling parameters in networks
Hi I have made a std. network thru CN01 and now when I try to include that std network into a new project , following problems come: ( Iam actually trying to copy a project and a network from std templates) 1. A pop up comes and says " You are tryin
-
I received an email from BT Broadband [[email protected]]. I think this is a scam. Anyone else get it?
-
7.1 | Problems with System-metrics templates generation
Hi experts. I've got a few questions. At first im facing a problem after reinstall a DAA on automatic conifguration: System-metrics templates generation failed (cause :Unexpected error occurs in task execution. (detail: com.sap.engine.lib.xml.parser.
-
When downloading the latest version of itunes the download freezes everytime but not always at the same percent. I have tried selecting the download only option and still didnt work. Please help!