https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518619#M505056 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P>I am configuring BYOD flow in my lab with the following details:</P><P></P><P>1) Wired scenario (the flow and everything was working well with previous version of ISE, so I assume the switch configuration is ok.</P><P>2) I have upgraded to ISE 2.4 and rebuilding the configuration there</P><P>3) My ISE is dual homed. Admin access on eth0, and RADIUS on eth1.</P><P>4) User is logging on guest portal with AD account and from there redirected to onboarding</P><P>5) I have enabled all the portals only on eth1</P><P>6) When I go through the flow I get to run the NSA portal fine, but then I have a message that I fail downloading the profile, and it seems that the problem is in setting up the https connection from the message I have on the client log file</P><P></P><P><IMG alt="debug.jpg" class="image-1 jive-image" height="84" src="https://community.cisco.com/legacyfs/online/fusion/117028_debug.jpg" style="height: 84.862px; width: 818px;" width="817" /></P><P></P><P>I tried with IP address and FWDN in the redirection, and both have issues.</P><P>I have imported the root CA signing the ISE cert in the client trust store</P><P>The time client to ISE is in sync.</P><P>The PSN Certificates contains the FQDN and and IP address i the SAN.</P><P></P><P>Any idea on how to proceed?</P><P></P><P>Thanks</P></BODY></HTML> Fri, 11 May 2018 14:52:45 GMT martucci 2018-05-11T14:52:45Z https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518619#M505056 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P>I am configuring BYOD flow in my lab with the following details:</P><P></P><P>1) Wired scenario (the flow and everything was working well with previous version of ISE, so I assume the switch configuration is ok.</P><P>2) I have upgraded to ISE 2.4 and rebuilding the configuration there</P><P>3) My ISE is dual homed. Admin access on eth0, and RADIUS on eth1.</P><P>4) User is logging on guest portal with AD account and from there redirected to onboarding</P><P>5) I have enabled all the portals only on eth1</P><P>6) When I go through the flow I get to run the NSA portal fine, but then I have a message that I fail downloading the profile, and it seems that the problem is in setting up the https connection from the message I have on the client log file</P><P></P><P><IMG alt="debug.jpg" class="image-1 jive-image" height="84" src="https://community.cisco.com/legacyfs/online/fusion/117028_debug.jpg" style="height: 84.862px; width: 818px;" width="817" /></P><P></P><P>I tried with IP address and FWDN in the redirection, and both have issues.</P><P>I have imported the root CA signing the ISE cert in the client trust store</P><P>The time client to ISE is in sync.</P><P>The PSN Certificates contains the FQDN and and IP address i the SAN.</P><P></P><P>Any idea on how to proceed?</P><P></P><P>Thanks</P></BODY></HTML> Fri, 11 May 2018 14:52:45 GMT https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518619#M505056 martucci 2018-05-11T14:52:45Z https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518620#M505058 <HTML><HEAD></HEAD><BODY><P>I can think of two things you might try to get more info:</P><OL><LI>WireShark packet captures to ensure the TLS exchanges happening correctly.</LI><LI>DEBUG on ISE PSN and check the log files on the PSN.</LI></OL></BODY></HTML> Fri, 11 May 2018 16:21:27 GMT https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518620#M505058 hslai 2018-05-11T16:21:27Z https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518621#M505060 <HTML><HEAD></HEAD><BODY><P>Please try restarting ISE services and trying it again. If it works, then it seems hitting CSCvj42833.</P></BODY></HTML> Mon, 14 May 2018 02:26:39 GMT https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518621#M505060 hslai 2018-05-14T02:26:39Z https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518622#M505062 <HTML><HEAD></HEAD><BODY><P>Hi Hslai, </P><P>thanks a lot.</P><P>At the end I found out that the problem was that my IE was configured to nly work with TLS 1.0 and not 1.1 or 1.2. Once I enabled them the profile was downloaded fine.</P><P>Thanks</P></BODY></HTML> Mon, 14 May 2018 09:34:48 GMT https://community.cisco.com/t5/network-access-control/weird-error-in-profile-download-during-onbording/m-p/3518622#M505062 martucci 2018-05-14T09:34:48Z