ISE , BYOD iphone issue!! client provisioning

Similar Messages

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• BYOD , ISE MAC OS X Client Provision

  i have selected profile for MAC OS X, and Cisco Network Assitance never runs!!!
  any idea!!! I am not a MAC user..

  Hi,
  If you are getting redirected to the supplicant provisioning portal you will need to make sure that java is installed and running on the browser since the java applet is what opens the supplicant provisioning portal.
  Give that a shot and see if your luck changes, also give the session around 30 seconds to start you should see it come up. (i would recommend mozilla since the plugin option will show up right next to the browser bar.
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE (1.3) Posture without Client Provisioning

  Hello readers,
  Is it possible to set up Cisco ISE with posture without Client Provisioning?
  My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
  Regards,
  Dennis

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• ISE, BYOD: win clients reject ISE local-certificate

  Hello!
  We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.
  Windows clients cannot connect to 802.1x SSID with the following error on ISE:
       Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  The client doesn't have preconfigured wifi profile or root certificate installed.
  The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
  The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.
  If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.
  So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
  p.s. the attached file shows the example of pop up TLS-alert window

  Are there any recommendations from Cisco about the issue with Windows?
  I believe there's a new version of smart solution design guide coming up.
  The current one does not mention anything to do with certs in "User Experience" chapter.
  You can check one of the possible approaches in Nico's document:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  (It can be easily expended).
  I think irt. PEAP we will always say that the cert or the root/sub CA cert should be already trusted on the device when perfoming enrollment.
  Will try to dig in, can't say I promise to get something concrete though. 

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• Client provisioning not working on ISE after 1.2 Migration

  Working on an initial piloted roleout of ISE with a customer. We initially had a single server setup as a pilot using 1.1.1.4 to pilot things like client supplicant provision, and then stood up a new VM as a secondary and upgraded that to 1.2. Today we tested client provisioning that work fine before, and it is failing for iOS (we haven't gotten to the other OS'es yet). What occurs is the user authenticates using PEAP and the client gets the request to install the root certificate. After this the client accepts the root certificate the connection drops. When you click the SSID to start the process again we see the redirect to the mydevices portal, but before you can click to register the client it redirected to accept the root certificate again, creating an endless loop. Has anyone else run into this bug?

  Please update the patch useing the below details and try it.
  To upload offline client provisioning resources, complete the following steps:
  Step 1 Go to the Download Software web page at http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm. You may need to provide login credentials.
  Step 2 Navigate to Products > Security > Access Control and Policy > Cisco Identity Services Engine > Cisco Identity Services Engine Software.
  Choose from the following Off-Line Installation Packages available for download:
  •win_spw--isebundle.zip— Off-Line SPW Installation Package for Windows
  •mac-spw-.zip — Off-Line SPW Installation Package for Mac OS X
  •compliancemodule--isebundle.zip — Off-Line Compliance Module Installation Package
  •macagent--isebundle.zip — Off-Line Mac Agent Installation Package
  •nacagent--isebundle.zip — Off-Line NAC Agent Installation Package
  •webagent--isebundle.zip — Off-Line Web Agent Installation Package
  Step 3 Click Download or Add to Cart.

• ISE 1.2 Client Provisioning Page Customization

  Hi All,
  Is it possible to customize Client Provisioning Page. We are using ISE version1.2
  I could see from switch port authentication sesssion that it is being redirected to guest portal with session ID.
  however on the host machine itself it gets redirected to a different URL.
  Regards
  Sameer

  please have a look on Configuring Client Provisioning guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_client_prov.html#wp1347894

• Cisco ISE 802.1X Client Provisioning

  Hi,
  I have a requirement for ISE client provisioning for both Windows and mac. I have the following setup:
  1. 2 SSIDs, Guest and Employee
  2. Guest is open access
  3. Employee is 802.1x eap-peap (username/password)
  I was wondering if client local administrator privillege is required for 802.1x provisioning for windows client? I believe it is required for MAC OS however not too sure if it may be required for Windows?
  Example Employee A connect to Guest SSID and is redirect to the guest web portal. Upon login, they will be presented with the device registration portal. Upon being presented by the ISE on the supplication wizard, will they be requested for local administrator/domain admin privillege to install the supplicant wizard package/provisioning agent successfully?
  Any suggestion is appreciated.
  Thanks.

  Hi,
  Appreciate for the feedback.
  Thanks

• Client provisioning issue

                     Hi, I configured client provisioning for guests. and it does not work.
  I checked client provisioning,device registration on defaultguestportal, and configured client provisioning like this
  OS:windows all and nas port type equls wireless802.11
  but when I create guest user id, and login, there is no client provisioning going on. it just shows success page.
  do you know why it is working not propery ?

  Please review the below links which might be helpful:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_client_prov.pdf

• ISE BYOD with Android device

  hi
  i deployed ISE for BYOD and its working fine for windows and Apple devices. the issue is with android. sometimes i can register the devices in MY DEVICES portal and ISE will redirect me to download the network assistant tool. and sometimes it refuses to register the devices and its showing this error for some devices "unsupported operating system type encountered" and showing this error for the others "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator"
  does anyone know how to solve this issue?
  thanks in advance.

  Ok, so the obvious things for the first part of the problem are;
  Is the Android Client using a supported OS? Check here;
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321
  Are you using the latest Supplicant Provisioning plugins in ISE? And are you using the latest version of ISE?
  Do the failing Clients have anything in common? Same hardware, OS Version, etc?
  The second issue, where  you get "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator" is typically caused by one of three things.  Either your Client has been idle for too long and the session has timed out, the ISE hasn't been able to Profile your device yet (and so doesn't know how to provision it), or you haven't configured ISE with an Android Supplicant Provisioning config.
  Finally, I've had that last problem before, albeit on a different handset, I missed some ports/protocols/hosts on my ACL

• ISE Mac OS X - Self-Provisioning FAILED

  Good morning everyone, I have 5 devices which are tested self-registered.
  - iPad
  - iPhone
  - Window 7(wire, wireless)
  - Window 8.1(wire, wireless)
  - MacBook OS X
  The four devices work except MacBook OS X, i have tried many way to solve it but still doesn't work such as
  - change version of native supplicant
  - change browsers(firefox, safari) which are used to run java and many other ways.
  Could anyone tell me what i should solve this

  The fact that this is working for other devices but only fails for your MAC books is going to be tough to figure out. 
  Can you:
  1. Check what the device is being profiled with when the error happens
  2. Check the SCEP server and look for any errors
  3. Provide screen shots of:
  - From the detailed windows of the live authentication event
  - Your client provisioning policies
  - Your Authorization rules
  - The certificate template (all settings) used for the BYOD flow
  4. Also, what version of code are you running and what is the model of your WLC

• I am implementing ISE BYOD.

   I am implementing ISE BYOD. I get browser not supported on few of my client endpoints. Please assist on how to trouble shoot

  what is ISE version and patch level you are using. is this issue particular to a end point type/OS ..
  Client Machine Operating Systems and Agent Support in Cisco ISE
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html#34998

• IPhone Jabber client not showing internal extensions just the Alerting Name

  I have customer calling from a 7965 to his desk phone 7965 which shows both Alerting Name and Extension, he also has an iPhone/Jabber Client on WiFi (no cellular involved). The iPhone client shows the Alerting Name from the 7965 but doesn’t show the 4 digit internal extension. Is this a known issue?

  Dear Miro,
  The issue has nothing to do with the server it's the client, Lync 2013 issue with caching data and the way its reading it back from the cache.
  Work around:
  just create a new client policy using the command new-csclientpolicy with AddressBookAvailability  "WebSearch" only.
  "New-CsClientPolicy -Identity TestCsPolicy -AddressBookAvailability WebSearchOnly"
  assign the policy to your test client, delete cache folder at the client end.
  "Grant-CsClientPolicy -Identity MIRO -PolicyNameTestCsPolicy"
  "you can delete sign-in information by signing out and clicking on "delete sign-in info" then sing-in again"
  test again. it should work.
  if it didn't open contact card and check if the the client is getting the data correctly.
  yet i didn't find another fix to the issue with lync 2010 client everything works just fine without any changes.
  Regards,
  Nader Barakat