ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

Similar Messages

• ISE 1.2 - CWA supplicant provisioning with anchor WLC

  Hi all,
  Having an issue with supplicant provisioning via CWA on an anchor controller. I am able to connect via CWA and authenticate etc no problems but when the device registration page appears it says "unable to connect to the network at this time" - the mac address is populated but the button says try again. Once I click try again it cycles back to the original guest portal login page. In the reports section the failed supplicant provisioning message is "Error while trying to determine access privileges: Fail to get hostName from session cache.".
  I have tried the same policy without the anchor (ie local controller) and it works perfectly. Interestingly enough if I manually register the device first then connect to the guest portal it allows me to click register and proceed to supplicant provisioning. I have also tried the anchor setup using peap and the NSP redirect - this also works perfectly.
  I can confirm ahead of time that firewalls etc are not an issue with permit IP any any between all working parts - no blocks no drops etc. The policy is the standard trustsec CWA setup with Enable self-provisioning ticked. For what it is worth I am absolutely confident with the config having deployed this before - albeit without an anchor controller.

  Stephen,
  I was able to work with TAC the customer account team to find a resolution.  The issue is with the Anchor WLC and the session not being replicated.  I was able to get around it by disabling radius accounting for the ssid on the anchor controller, but when looking at the bug it looks like an alternative fix is to disable fast ssid switching, which would cause issues with BYOD in the dual ssid world.  I'm still doing testing, but the accounting change seems to have solved it.  The bug ID is: CSCui38627

• ISE 1.2 - Self-Provisioned devices still in pending registration status

  Hi everybody,
  I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:
  first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
  at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
  single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.
  I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.
  Can you please help?
  Regards,
  L

  Hi Kevin,
  I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).
  Please let me know if you open a TAC case, what is the answer.
  Regards,
  L

• ISE upgrade 1.2: Self-provisioning portal not working

  Hi all,
  I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
  Screenshot of page is attached:
  I've checked ise-console.log application log file and found two errors correponding to the first page:
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
  and the second (not working) one:
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
  Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
  Can somebody please help?
  Thanks,
  L

  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

• ISE Guest Self-Provisioning Portal

  Hi,
  I  get the Guest portal page and my credentails authenticate correctly and  the device is authenticated using MAB. Then I redirect to Self-Provisioning portal and get this message
  This device has not been registered
  You need to manually configure your device
  Your device configuration is not supported by the setup wizard
  Device ID < MAC of my windows XP PC
  Any idea how to enable self registration for gests?
  My goal is when guest is authenticated in first time it need to enter credentials and to registered MAC address,then when guest come again it need to pass only authentication, without registration MAC address.
  Thanks

  Tarik, where is the mistake in my steps?
  1) I create Authorization Profile for Guest devices registration (see attach AuthProfile)
  2) I create Authorization Profile for Web Registration
  3) I create Authorization Policy (see attach AuthPolicy)
  When user connects to the network, he is redirected to Guest Portal where he needs to aply AUP, after clicking "Accept" error appears (see attach ISE_Error). In ISE I see the folowing errors (see attach ISE_Auth_Error).

• Cluster utilization and self-provisioning

  I am moving to a cloud infrastructure with VCAC for self-provisioning. How does this impact my target utilization for my HA cluster?  Previously I was targeting running each cluster at 80% utilization of RAM and CPU on each host for average peak utilization.  now I am going to allow vms to be self-provisioned.  I won't control the provisioning process anymore but various clients and tenants can provision VMs at will without my notice.  As a result, I have to be able to have capacity available more quickly to add VMs, and not suddenly run out of cluster capacity.  I want to minimize waste by running my clusters to capacity, but I also need to maximize elasticity.  What are some guidelines on how to do this?  Anyone have experiences to share -
  1. what did you pick as a target utilization figure and why ?
  2. how did you capacity plan / forecast for cluster capacity?
  3. did you use admission control?

  Sounds like a cool project. Keep in mind that from an infrastructure standpoint HA and admission control are still trying to solve the same problem, recover VMs from a host or OS failure as quickly as possible.
  As an example, if your new cluster has 20 hosts and you want to be able to have a host in maintenance mode and still suffer a host failure and you've decided to use % based admission control policy (this is the default recommendation, I would recommend you evaluate your environment and determine if it is the right option for you), you'll want to set the % at 10%. This will ensure that your cluster has sufficient resources to restart all running VMs. Keep in mind that unless VMs have reservations, HA just reserves capacity to start the VM, there is no guarantee of performance.
  As far as your target utilization, that depends on the SLAs you are providing and your tolerance for risk.
  At the last customer I worked for the answers were:
  1. We reserved capacity in a cluster such that we could have a host in maintenance mode and still lose a host and have no VMs experience performance degradation
  2. vCOps
  3. Yes

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• CUCM 10 Self Provisioning Problem with TAGs on Universal Device Template

  Hi friends.
  I've been provisioning IP Phone by Self Povisioning. The phones were provisioned almost perfectly. I notice the TAGs that i filed up on Device Template (look above), are not "translated" on Device Phone.
  Universal Device Template
  The Tags on Universal Line Template comes  perfectly to Line Description.
  Had you ever seen something like this?
  Kind Regards
  Fernando Penteado

  Hi folks. I could identify the problem with Variable and TAG. In order to Self Provisioning works fine, we need to mark Owner User on Universal Device Template.
  Look that.
  Thanks

• Java not recognized by Cisco Self-Provisioning Portal on Apple computers

  Have a Mac Mini running that had this problem under OSX 10.8 and is persisting in 10.9.  When this computers reaches the self-provisioning portal, after clicking submit on the MAC address registration, the following screen displays an erroneous error that Java isn't installed.
  Have gone through updating Java from Apple (2013-005) as well as from Oracle/Java (1.7), and applied several variations of uninstalling and reinstalling Java, doesn't seem to make a difference.  From the top, the Mac Mini attaches to Wifi and the self-provisioning page appears with an authentication request.  User authenticates succesfully.  The next page displays the MAC address for the machine and a description field.  Upon filling out the description, the page is submitted.  The following page tha should complete the provisioning process, rather, displays an error that Java isn't installed and the user should go to java.com to complete the installation.  According to the Java.com, Java is installed. According to terminal (by executing the command "java -version"), Java is installed. Running other Java applications, like JDE, run perfectly well.  The self-provisioning page seems to be unaware of Java despite everything else.  Ideas?

  Thanks. No dice. The instructions on that page also appear to be woefully out of date too. In Safari, on the preferences security tab, there is no checkbox for "Enable Java" (I think that is a Safari 6.0.4 thing on OS X 10.8 or thereabouts). In OS X 10.9 there's just the "allow plugins" checkbox and the "manage website settings" button. Assuming this is where it's at now, moving to the Java plugin in the list, they were already "allow". I went a step further and set it for the three websites listed (that include the provisioning portal domain) to "allow always". No luck. Then went to another step further and click "run in unsafe mode" for every item in the Java website list and again it made no difference. The self provisioning portal page still says that Java isn't installed :-(
  For Firefox, the instructions on that page are out of date too. Under what I believe are the correct settings, the Java applet plug-in for 7.45 is set to "always activate". I assume this is the same thing as seeing the "disable" button in previous FF versions, indicating that the job applet plug-in is actively running.
  The chrome instructions on the page are irrelevant because my OS X and hardware are 64-bit and so is Java but not chrome. Therefore Java doesn't run on chrome on this machine in the first place.
  I don't know who's browser the self provisioning portal fires up since it fires up its own window, not a Firefox or Safari specific one. In windows for example the self-provisioning portal fires up a tab in IE. That actually makes it simpler to debug IMO.
  Any more advice? Java seems to be running just fine for every thing else. What am I missing?
  UPDATE (Just another thought)
  Alternatively, could it be a the with WebKit? Or Cisco's implementation of WebKit (as far as whether any changes would have been required for OS X 10.9 in the way with kids is instantiated)? If or example the self provisioning portal is opening up its own "browser" by using the Safari webkit function (as opposed to opening a tab directly in Safari itself) could this be a bug in Safari itself, or a changed API that Cisco has failed to implement (considering the other incompatibilities various Cisco products have with OS X 10.9)? I just hope that the problem is something that I can fix with a workaround rather than waiting for a patch from either Apple or Cisco that may or may not come anytime soon? :-/

• EX90 and Self-Provisioning IVR

  I am building a demo and I want users to be able to connect a EX90/60 to it, let auto-register with CUCM, and then use the self-provisioning IVR to setup the device.  I have the Self-Provisioning setup and working with all the phones like 9971/DX650/etc.  When I dial the route point number for the self-provisioning IVR on the EX90 it answers and when I try to put in my self-service user ID to provision the EX, the IVR doesn’t recognize any dtmf tones.    I’ve looked and I’ve looked and can’t find out why the keys aren’t being recognized on the EX90.  I’ve self provisioned this same EX90 device in another demo and it works just fine.  Can anyone clue me in on what this could be?  Thanks in advance!

  Thanks I'll keep an eye out for the new release. I looked up the bug but I saw it was for a C series and not an EX.  Don't know if that makes a difference.  I also tried to do the xcommand and I was able to hear the digits being sent but it had the same results as if i pressed the keys myself on the codec.  I tried other services like calling voicemail and it was able to detect the DTMF being sent to it right away. Just not to the Self-provisioning IVR. 
  Thanks
  Jason

• Certificates - server self provisioning

  I have an OES 11 server that is the certificate authority for my tree.
  Server self-provisioning is enabled. My ZCM 11 server just reported
  that the certificate is due to expire in less than 90 days. Just
  trying to be pro-active. I assume that self-provisioning will
  recreate the certificate soon, but the only thing I have found is
  this:
  https://www.netiq.com/documentation/...u.html#b9zmjmu
  which makes it look like I need to actually reboot the server or they
  will never get re-created. So what needs to happen?
  Ken

  Hello,
  you could trigger the pki health check by unloading and reloading the pkiserver module in edirectory.
  If self provisioning is enabled, this will create new server certificates if expired.
  (but I don't know how many days before)
  And this checks and exports the CA and server certificates from edirectory to files on the server.
  I've done this a few times to renew certificates online without restarting the server or edirectory.
  But I'm not sure how this affects ZCM!!
  ndstrace -c "unload pkiserver"
  -> check /var/opt/novell/eDirectory/log/ndsd.log
  ndstrace -c "load pkiserver"
  -> check /var/opt/novell/eDirectory/log/ndsd.log
  and /var/opt/novell/eDirectory/log/PKIHealth.log
  Information about creating or exporting certificates will be in PKIHealth.log
  Then you need to reload some services:
  LDAP:
  ndstrace -c "unload nldap"
  ndstrace -c "load nldap"
  -> check /var/opt/novell/eDirectory/log/ndsd.log if ldap loads again.
  For me in some few situations ldap does not load again, so edir must be restarted anyhow
  LUM:
  namconfig -k
  rcnamcd restart
  Other:
  rcapache2 restart
  rcnovell-httpstkd restart
  rcnovell-tomcat6 restart
  rcsfcb restart
  If other oes server using this server as ldap-server you have to do the
  namconfig -k
  rcnamcd restart
  on these servers too.
  regards
  Matthias
  Originally Posted by ab
  On 03/27/2014 03:11 PM, KeN Etter wrote:
  > On Thu, 27 Mar 2014 19:12:03 GMT, ab <[email protected]>
  > wrote:
  >
  > Thanks for the explanation!
  >
  >> An eDirectory restart is required, I believe. You may also be able to run
  >> 'ndsconfig upgrade' and have it do it, or else you can always use the
  >> iManager tools to recreate them. I'm 99% sure, though, that without at
  >> least some kind of interaction the certs will not be recreated.
  >
  > The docs state that the certs will be recreated if they are "about to
  > expire". So if I restart eDirectory or the server, how close to the
  > expiration date do I need to be for them to be automatically
  > recreated? Or should I just manually recreate them? (But then server
  > self-provisioning seems a bit useless.)
  I believe ninety days is the threshold. If not, definitely thirty. The
  self-provisioning, in that case, makes sense if you regularly restart eDir
  (monthly, for example, to grab a backup, or apply other patches for eDir
  or the OS, etc.). It may also make sense as I believe it causes the cert
  to be auto-exported to the filesystem so that other applications can
  easily see them and trust them. Maybe this is a different but related
  feature, but as I have not looked closely at the docs don't quote me on
  it. Either way I agree... it could be more-useful to have something
  actually happen in environments with non-microsoft uptimes.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• ISE Mac OS X - Self-Provisioning FAILED

  Good morning everyone, I have 5 devices which are tested self-registered.
  - iPad
  - iPhone
  - Window 7(wire, wireless)
  - Window 8.1(wire, wireless)
  - MacBook OS X
  The four devices work except MacBook OS X, i have tried many way to solve it but still doesn't work such as
  - change version of native supplicant
  - change browsers(firefox, safari) which are used to run java and many other ways.
  Could anyone tell me what i should solve this

  The fact that this is working for other devices but only fails for your MAC books is going to be tough to figure out. 
  Can you:
  1. Check what the device is being profiled with when the error happens
  2. Check the SCEP server and look for any errors
  3. Provide screen shots of:
  - From the detailed windows of the live authentication event
  - Your client provisioning policies
  - Your Authorization rules
  - The certificate template (all settings) used for the BYOD flow
  4. Also, what version of code are you running and what is the model of your WLC

• ISE 1.1.1.268 - Red X after attempting to log in to guest portal for self-provisioning flow

  Hi All,
  We get a lone red X on certain andrid devices after they click login on the guest portal.  No message or anything.  Anyone seen this before?  I've been able to get around this in the past by just closing the browser completely and turning off wireless and starting over, but it sounds like this user has tried these things and it keeps happening.  It would be good to at least know what the error is.  Image below.
  Thanks,
  Wil

  After biting the bullet and ordering more RAM, my computer now is working a ton better. So that must have been the main issue. With 8 GB RAM, I can now even run Parallels fluidly (better than my work PC!) where before simple things like logging in to my MBP after reboot could take forever.
  The place I went to had several other people getting RAM upgrades at the same time as me, so between this and other comments I've seen in discussions here and elsewhere on the Internets, I take it to mean that either Apple should bump up the base RAM on its new machines, and/or stop charging so much for additional RAM.
  I refused to believe a Pro machine bought with Lion installed would come with too little RAM for light to medium usage, but it was apparently the case. I'll mark this as a correct answer and hope some other poor soul will come across this thread and be helped by it.

• ISE problem with EAP-TLS Supplicant Provisioning

  Hi All,
  I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
  The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
  The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
  Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
  Cheers,
  Richard
  PS - Also using WinSPWizard 1.0.0.28

  Hi Richard,
  This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
  Istvan Segyik
  Systems Engineer
  Global Virtual Engineering
  WW Partner Organization
  Cisco Systems, Inc
  Email: [email protected]
  Work: +36 1 2254604
  Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

• ISE and WLC for CWA (Central Web Auth)

  Hello All,
  As we know that WLC (i.e. 5508) does not support MAB (MAC Auth Bypass) and it supports CWA in 7.2.x.
  CWA is a result of successfull MAB. So how CWA work for wireless? So it means WLC support MAB?

  I've been playing around with this and have it working on 7.3.101 on the WLC 5508, however, I don't seem to be receiving the web redirect correctly.  When I look under the client connections on the WLC I see that the URL is received on the WLC from ISE, but it appears to be truncated, unless that's just a limitation of the display.  I see hits on the ACL-WEBAUTH-REDIRECT ACL on the controller, but it doesn't seem to be redirecting.  I have this similar configuration on the wired side of the house and it works fine.  ISE just shows pending webauth, as it should.
  Security Policy Completed      No
  Policy Type        N/A
  Encryption Cipher       None
  EAP Type        N/A
  SNMP NAC State       Access
  Radius NAC State       CENTRAL_WEB_AUTH
  CTS Security Group Tag      Not Applicable
  AAA Override ACL Name      ACL-WEBAUTH-REDIRECT
  AAA Override ACL Applied Status     Yes
  AAA Override Flex ACL      none
  AAA Override Flex ACL Applied Status     Unavailable
  Redirect URL       
  https://.com:8443/guestportal/gateway
  IPV4 ACL Name     none
  IPv4 ACL Applied Status      Unavailable
  IPv6 ACL Name       none
  IPv6 ACL Applied Status     Unavailable