ISE 1.2 - Self-Provisioned devices still in pending registration status

Similar Messages

• ISE Using my device Portal , devices still in pending registration status

  Abstract:
  I'm on ISE 1.2 patch 8.
  We want give access wireless to devices mobile using 802.1x with Active Directory. The condition is that he previously the user must register mobile device in "my device portal"
  -The corporate user connected from the LAN network,   login in "my device portal"  using their active directory account and register your device.
  -The policy defined in ISE indicates that 802.1x users in a group of AD and over condition "RegistredDevices" can access to the network (see screen 1)
  -Users access the wireless network from your mobile device by entering its name from AD and finally accesses the network.
  -From my "devices portal" devices always shows “Pending” status. All works as expected except for this situation.
  Can you please help?
  Regards,
  Marco Muñoz

  It looks like you dont have any provisioning profiles configured.
  Under Admin settings make sure client provisioning is enabled. Try to set native supplicant provisioning policy unavailable: to Allow Network Access.

• ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

  I'm trying to achieve the following for our employees, contractors and guest.
  Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
  contractors (ldap contractor group) -> webauth -> internet
  guest (internal ise db via sponsorportal) - webauth -> internet
  Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 
  employee (ldap employee group) -> webauth -> nsp -> internet
  In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 
  Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

  Hi Patrick,
  I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
  for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
  my authorization rules as follows :
  1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS
  2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL
  It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
  did you find any hint for this problem ?

• ISE upgrade 1.2: Self-provisioning portal not working

  Hi all,
  I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
  Screenshot of page is attached:
  I've checked ise-console.log application log file and found two errors correponding to the first page:
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
  and the second (not working) one:
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
  Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
  Can somebody please help?
  Thanks,
  L

  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

• ISE Guest Self-Provisioning Portal

  Hi,
  I  get the Guest portal page and my credentails authenticate correctly and  the device is authenticated using MAB. Then I redirect to Self-Provisioning portal and get this message
  This device has not been registered
  You need to manually configure your device
  Your device configuration is not supported by the setup wizard
  Device ID < MAC of my windows XP PC
  Any idea how to enable self registration for gests?
  My goal is when guest is authenticated in first time it need to enter credentials and to registered MAC address,then when guest come again it need to pass only authentication, without registration MAC address.
  Thanks

  Tarik, where is the mistake in my steps?
  1) I create Authorization Profile for Guest devices registration (see attach AuthProfile)
  2) I create Authorization Profile for Web Registration
  3) I create Authorization Policy (see attach AuthPolicy)
  When user connects to the network, he is redirected to Guest Portal where he needs to aply AUP, after clicking "Accept" error appears (see attach ISE_Error). In ISE I see the folowing errors (see attach ISE_Auth_Error).

• CUCM 10 Self Provisioning Problem with TAGs on Universal Device Template

  Hi friends.
  I've been provisioning IP Phone by Self Povisioning. The phones were provisioned almost perfectly. I notice the TAGs that i filed up on Device Template (look above), are not "translated" on Device Phone.
  Universal Device Template
  The Tags on Universal Line Template comes  perfectly to Line Description.
  Had you ever seen something like this?
  Kind Regards
  Fernando Penteado

  Hi folks. I could identify the problem with Variable and TAG. In order to Self Provisioning works fine, we need to mark Owner User on Universal Device Template.
  Look that.
  Thanks

• Upgraded to Maverick. Now cannot connect to wifi. All my other devices will connect. Have rest wireless hot spot switch and cable modem. Other devices still connect but MacPro does not. MacPro wireless is self assigning an IP address blocking access.

  Upgraded to Maverick. Now cannot connect to wifi. All my other devices will connect. Have rest wireless hot spot switch and cable modem. Other devices still connect but MacPro does not. MacPro wireless is self assigning an IP address blocking access. It will connect if I connect to my iPhone hot spot via wifi. Any ideas?

  If you follow this video you'll see how to delete your WiFi AP from the OS, this will allow you to select it again which I feel will correct your problem.
  https://app.box.com/s/fe7v7h7kywjr23spumqp

• ISE, BYOD: guest clients provisioning

  Hello!
  The question is about provisioning different types of wifi clients through the ISE Guest portal.
  ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
  Suppose, there are two groups of wireless clients:
  1) guest user, which credentials are created through the ISE Sponsor Portal
  2) domain user, who has credentials in ActiveDirectory
  The aim is to provision domain user, and not provision guest user.
  When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
  When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
  How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
  (Web Portal -> Settings -> Enable Self-Provisioning flow)

  The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
  Alternative, you can perform CWA first (and...)
  Then if user is part of guest users -> allow internet only access
  If user is part of AD -> send him to do registration.
  Authorization policy allows you to use "identity group" as part of condition.
  If device registered -> allow full access. (just an idea).
  M.

• Cluster utilization and self-provisioning

  I am moving to a cloud infrastructure with VCAC for self-provisioning. How does this impact my target utilization for my HA cluster?  Previously I was targeting running each cluster at 80% utilization of RAM and CPU on each host for average peak utilization.  now I am going to allow vms to be self-provisioned.  I won't control the provisioning process anymore but various clients and tenants can provision VMs at will without my notice.  As a result, I have to be able to have capacity available more quickly to add VMs, and not suddenly run out of cluster capacity.  I want to minimize waste by running my clusters to capacity, but I also need to maximize elasticity.  What are some guidelines on how to do this?  Anyone have experiences to share -
  1. what did you pick as a target utilization figure and why ?
  2. how did you capacity plan / forecast for cluster capacity?
  3. did you use admission control?

  Sounds like a cool project. Keep in mind that from an infrastructure standpoint HA and admission control are still trying to solve the same problem, recover VMs from a host or OS failure as quickly as possible.
  As an example, if your new cluster has 20 hosts and you want to be able to have a host in maintenance mode and still suffer a host failure and you've decided to use % based admission control policy (this is the default recommendation, I would recommend you evaluate your environment and determine if it is the right option for you), you'll want to set the % at 10%. This will ensure that your cluster has sufficient resources to restart all running VMs. Keep in mind that unless VMs have reservations, HA just reserves capacity to start the VM, there is no guarantee of performance.
  As far as your target utilization, that depends on the SLAs you are providing and your tolerance for risk.
  At the last customer I worked for the answers were:
  1. We reserved capacity in a cluster such that we could have a host in maintenance mode and still lose a host and have no VMs experience performance degradation
  2. vCOps
  3. Yes

• Cisco ISE trying to posture a device that should not be able to be postured

  Overview:
  Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
  Mobile device authorisation policy configured:
  Problem:
  A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
  Troubleshooting:
  I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
  I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
  Have any of you guys experienced this before?

  Hi,
  I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
  I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
  Tarik Admani
  *Please rate helpful posts*

• Java not recognized by Cisco Self-Provisioning Portal on Apple computers

  Have a Mac Mini running that had this problem under OSX 10.8 and is persisting in 10.9.  When this computers reaches the self-provisioning portal, after clicking submit on the MAC address registration, the following screen displays an erroneous error that Java isn't installed.
  Have gone through updating Java from Apple (2013-005) as well as from Oracle/Java (1.7), and applied several variations of uninstalling and reinstalling Java, doesn't seem to make a difference.  From the top, the Mac Mini attaches to Wifi and the self-provisioning page appears with an authentication request.  User authenticates succesfully.  The next page displays the MAC address for the machine and a description field.  Upon filling out the description, the page is submitted.  The following page tha should complete the provisioning process, rather, displays an error that Java isn't installed and the user should go to java.com to complete the installation.  According to the Java.com, Java is installed. According to terminal (by executing the command "java -version"), Java is installed. Running other Java applications, like JDE, run perfectly well.  The self-provisioning page seems to be unaware of Java despite everything else.  Ideas?

  Thanks. No dice. The instructions on that page also appear to be woefully out of date too. In Safari, on the preferences security tab, there is no checkbox for "Enable Java" (I think that is a Safari 6.0.4 thing on OS X 10.8 or thereabouts). In OS X 10.9 there's just the "allow plugins" checkbox and the "manage website settings" button. Assuming this is where it's at now, moving to the Java plugin in the list, they were already "allow". I went a step further and set it for the three websites listed (that include the provisioning portal domain) to "allow always". No luck. Then went to another step further and click "run in unsafe mode" for every item in the Java website list and again it made no difference. The self provisioning portal page still says that Java isn't installed :-(
  For Firefox, the instructions on that page are out of date too. Under what I believe are the correct settings, the Java applet plug-in for 7.45 is set to "always activate". I assume this is the same thing as seeing the "disable" button in previous FF versions, indicating that the job applet plug-in is actively running.
  The chrome instructions on the page are irrelevant because my OS X and hardware are 64-bit and so is Java but not chrome. Therefore Java doesn't run on chrome on this machine in the first place.
  I don't know who's browser the self provisioning portal fires up since it fires up its own window, not a Firefox or Safari specific one. In windows for example the self-provisioning portal fires up a tab in IE. That actually makes it simpler to debug IMO.
  Any more advice? Java seems to be running just fine for every thing else. What am I missing?
  UPDATE (Just another thought)
  Alternatively, could it be a the with WebKit? Or Cisco's implementation of WebKit (as far as whether any changes would have been required for OS X 10.9 in the way with kids is instantiated)? If or example the self provisioning portal is opening up its own "browser" by using the Safari webkit function (as opposed to opening a tab directly in Safari itself) could this be a bug in Safari itself, or a changed API that Cisco has failed to implement (considering the other incompatibilities various Cisco products have with OS X 10.9)? I just hope that the problem is something that I can fix with a workaround rather than waiting for a patch from either Apple or Cisco that may or may not come anytime soon? :-/

• ISE Posture for non-agent device problem

  I have a couple of questions:
  - They said it the documents: "these (non-agent) devices assume the Default Posture Status settings". I wonder how ISE determines that a device is a non-agent device, or to put it another way, when is the Default Posture Status settings applied to a device? Is it after some period of time not receiving anything from the agent? If yes, can and where do I change that time in ISE?
  - I tested this with my lab and saw that: after the user successfully login with his account, and the Authorization profile with Client provisioning is applied to that session, the user goes to a web page and gets redirect to the CPP page. Now if he just sits there and doesn't install the NAC agent, I noticed that after about 40s, the session is automatically restarted to a new one, with a different session ID, but the same username. The new session gets to the point where the same redirect Authorization profile is applied and the whole process cycles over and over. Things I observed each time the session restarts:
  + The user doesn't even have to enter the credentials again. The 802.1x login doesn't popup 
  + The Default Posture status (I set it to Noncompliant) is applied to the session right before it restarts. I can see an event on ISE indicating that. The event also shows the Acct-Terminate-Cause as "Admin Reset"
  + If at any point, the user installs a NAC agent then he can break the cycle (e.g becomes compliant) and carry on with other Authorization profiles
  So my question is: is that expected behavior of ISE? Although it seems no harm except new sessions are created continously
  Or have I configured something wrong?

  Anybody?

• EX90 and Self-Provisioning IVR

  I am building a demo and I want users to be able to connect a EX90/60 to it, let auto-register with CUCM, and then use the self-provisioning IVR to setup the device.  I have the Self-Provisioning setup and working with all the phones like 9971/DX650/etc.  When I dial the route point number for the self-provisioning IVR on the EX90 it answers and when I try to put in my self-service user ID to provision the EX, the IVR doesn’t recognize any dtmf tones.    I’ve looked and I’ve looked and can’t find out why the keys aren’t being recognized on the EX90.  I’ve self provisioned this same EX90 device in another demo and it works just fine.  Can anyone clue me in on what this could be?  Thanks in advance!

  Thanks I'll keep an eye out for the new release. I looked up the bug but I saw it was for a C series and not an EX.  Don't know if that makes a difference.  I also tried to do the xcommand and I was able to hear the digits being sent but it had the same results as if i pressed the keys myself on the codec.  I tried other services like calling voicemail and it was able to detect the DTMF being sent to it right away. Just not to the Self-provisioning IVR. 
  Thanks
  Jason

• Am facing issue on my iphone 5s after updating to ios 7.1.1, every while the phone hang after lock it and cannot unlock and even cannot turn on the screen this is so annoying, kindly advice if i have to go back to the store as device still under warranty

  Am facing issue on my iphone 5s after updating to ios 7.1.1, every while the phone hang after lock it and cannot unlock and even cannot turn on the screen this is so annoying, kindly advice if i have to go back to the store as device still under warranty, and if its a hardware issue or software ??

  Hello HaithamOkeely,
  We've an article that provides the following troubleshooting steps that may help stabilize your iPhone.
  If the device is unresponsive or if certain controls aren't working as expected, restart your device.
  If the device remains unresponsive or does not turn on (or power on), reset your device.
  If there is no video or if the screen remains black, verify that the device has enough charge to turn on:
  If you are using an iPad, ensure that it's connected to the USB Power Adapter supplied with the device.
  Let it charge for at least twenty minutes, then see if it starts normally.
  If there is no image on the screen, press the Sleep/Wake button to attempt to wake the device.
  If the screen displays a red battery icon, continue charging the device until the battery is fully charged. Learn more about charging iPhone and iPod touch, or iPad.
  If the above steps do not resolve the issue, or the if the screen remains black or shows a persistent Apple logo, try restoring with iTunes:
  Connect the device to your computer and open iTunes.
  If the device appears in iTunes, select and click Restore on the Summary pane. Learn more aboutrestoring iOS software.
  If the device doesn't appear in iTunes, try to force the device into recovery mode, and then restore it.
  If the above steps do not resolve the issue, contact Apple.
  iOS: Not responding or does not turn on
  http://support.apple.com/kb/TS3281
  Cheers,
  Allen

• HT3180 My apple tv box no longer turns on, the white light constantly flashes on and off but no signal to my tv. All devices still pick up airplay but not actually playing. Restoring the box has made no difference, any clues?!

  My apple tv box no longer turns on, the white light constantly flashes on and off but no signal to my tv. All devices still pick up airplay but not actually playing. Restoring the box has made no difference, any clues?!

  Was the restore done via iTunes?
  http://support.apple.com/kb/HT4367?viewlocale=en_US&locale=en_US
  If so then you may need to take it to Apple.