ISE - unable to onboard Lenovo laptops

B A — Fri, 23 Aug 2024 11:03:29 GMT

Hello everyone, I would like to ask for your help with a strange issue.

We currently have several BYOD devices that are not in the domain and we need to onboard them. These are all Lenovo laptops. They will connect to the network via username and password and successfully download the Network Setup Assistant via the BYOD portal as expected. When I run Network Setup Assistant, I see that the profile is being downloaded but in a few seconds it stops and says . "Failed to discover ISE. Reconnect to the network and try again".

I don't know how to troubleshoot this at all. When I do the same thing on a Dell laptop, it means I start the Network Setup Assistant, the process goes successfully to the end. We updated Windows OS, drivers, and also checked certificates but we cannot figure out where the problem is. The latest Windows 11 is installed. But this happens only with Lenovo with Windows 11. Dell with Windows 11 and Lenovo with Windows 10 work perfectly.

The content of spwProgileLog is here:

[Fri Aug 23 12:51:48 2024] Logging started
[Fri Aug 23 12:51:48 2024] SPW Version: 3.0.0.3
[Fri Aug 23 12:51:48 2024] System locale is [en]
[Fri Aug 23 12:51:48 2024] Loading messages for english...
[Fri Aug 23 12:51:48 2024] Initializing profile
[Fri Aug 23 12:51:49 2024] Found 2 interfaces
[Fri Aug 23 12:51:49 2024] Found 0 interfaces
[Fri Aug 23 12:51:49 2024] SPW is running as High integrity Process - 12288
[Fri Aug 23 12:51:49 2024] GetProfilePath: searched path = C:\Users\Admin\AppData\Local\Temp\ for file name = spwProfile.xml result: 0
[Fri Aug 23 12:51:49 2024] GetProfilePath: searched path = C:\Users\Admin\AppData\Local\Temp\Low for file name = spwProfile.xml result: 0
[Fri Aug 23 12:51:51 2024] Profile xml not found Downloading profile configuration...
[Fri Aug 23 12:51:51 2024] Downloading profile configuration...
[Fri Aug 23 12:51:51 2024] Discovering ISE using default gateway
[Fri Aug 23 12:51:52 2024] Identifying wired and wireless network interfaces, total active interfaces: 0
[Fri Aug 23 12:51:52 2024] DiscoverISE - start
[Fri Aug 23 12:51:52 2024] DiscoverISE input parameter : strUrl [http://enroll.cisco.com/auth/discovery/]
[Fri Aug 23 12:51:52 2024] [HTTPConnection] CrackUrl: host = enroll.cisco.com, path = /auth/discovery/, user = , port = 80, scheme = 3, flags = 0
[Fri Aug 23 12:51:52 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:52 2024] HTTP Response header: [HTTP/1.1 200 OK
Location: https://ISEserver.ourdomain.local:8443/portal/gateway?sessionId=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad&redirect=enroll.cisco.com/auth/discovery/
Content-Type: text/html
Content-Length: 476

] HTTP Content: [<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://ISEserver.ourdomain.local:8443/portal/gateway?sessionId=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad&redirect=enroll.cisco.com/auth/discovery/"></HEAD></HTML>
]
[Fri Aug 23 12:51:52 2024] getUrlFromResponse - Server response body lower case [<html><head><title> web authentication redirect</title><meta http-equiv="cache-control" content="no-cache"><meta http-equiv="pragma" content="no-cache"><meta http-equiv="expires" content="-1"><meta http-equiv="refresh" content="1; url=https://ISEserver.ourdomain.local:8443/portal/gateway?sessionid=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad&redirect=enroll.cisco.com/auth/discovery/"></head></html>
]
[Fri Aug 23 12:51:52 2024] getUrlFromResponse - returning url extracted from meta tag [https://ISEserver.ourdomain.local:8443/portal/gateway?sessionId=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad]
[Fri Aug 23 12:51:52 2024] Discovered ISE - : [ISEserver.ourdomain.local, sessionId: c0a867450023f31666c86713]
[Fri Aug 23 12:51:52 2024] DiscoverISE - end
[Fri Aug 23 12:51:52 2024] Discovered ISE using cisco url: [http://enroll.cisco.com/auth/discovery/]
[Fri Aug 23 12:51:52 2024] Successfully Discovered ISE: ISEserver.ourdomain.local, session id: c0a867450023f31666c86713, macAddress:
[Fri Aug 23 12:51:52 2024] GetProfile - start
[Fri Aug 23 12:51:52 2024] [HTTPConnection] CrackUrl: host = ISEserver.ourdomain.local, path = /auth/provisioning/evaluate?typeHint=SPWConfig&referrer=Windows&spw_version=3.0.0.3&session=c0a867450023f31666c86713&os=Windows All, user = , port = 8905, scheme = 4, flags = 8388608
[Fri Aug 23 12:51:52 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:53 2024] Warning - [HTTPConnection:RetrySendRequest] InternetOpen() failed with code: [12057], msg: [It was not possible to connect to the revocation server or a definitive response could not be obtained.
]
[Fri Aug 23 12:51:53 2024] [HTTPConnection] All CRL Checks are off
[Fri Aug 23 12:51:53 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:53 2024] Received redirect to location null
[Fri Aug 23 12:51:53 2024] [HTTPConnection] CrackUrl: host = ISEserver.ourdomain.local, path = /auth/provisioning/download/e35e7769-8a5e-4c4a-a454-ac0262f9f0bb/NSA_BYOD_EXT.xml?sessionId=c0a867450023f31666c86713&os=WINDOWS_10_ALL, user = , port = 8443, scheme = 4, flags = 8388608
[Fri Aug 23 12:51:53 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:53 2024] GetProfile - end
[Fri Aug 23 12:51:53 2024] Successfully retrieved profile xml
[Fri Aug 23 12:51:53 2024] using V2 xml version
[Fri Aug 23 12:51:53 2024] parsing wireless connection setting
[Fri Aug 23 12:51:53 2024] Certificate template: [keytype:RSA, keysize:2048, subject:OU=XXX;O=XXX;L=XXX;ST=XXX;C=XXX, SAN:MAC]
[Fri Aug 23 12:51:53 2024] set ChallengePwd
[Fri Aug 23 12:51:53 2024] Starting parsing proxy configuration
[Fri Aug 23 12:51:53 2024] ProxySettings key was not found in the configuration xml
[Fri Aug 23 12:51:53 2024] found redirect URL: https://www.domain.com
[Fri Aug 23 12:51:53 2024] Identifying wired and wireless network interfaces, total active interfaces: 0
[Fri Aug 23 12:51:53 2024] WirelessProfile::StartWLanSvc - Start
[Fri Aug 23 12:51:54 2024] Wlansvc service is in Auto mode ...
[Fri Aug 23 12:51:54 2024] Wlansvc is running in auto mode...
[Fri Aug 23 12:51:54 2024] WirelessProfile::StartWLanSvc - End
[Fri Aug 23 12:51:54 2024] Found [1] wireless interfaces ...
[Fri Aug 23 12:51:54 2024] Wireless interface 1 - Desc: [Qualcomm FastConnect 6900 Wi-Fi 6E Dual Band Simultaneous (DBS) WiFiCx Network Adapter], Guid: [{FBE6ACB5-7B7D-4709-BFD1-7850CE089CA9}]...
[Fri Aug 23 12:51:54 2024] Wireless interface - Mac address: 8C-3B-4A-4E-EC-6A
[Fri Aug 23 12:51:54 2024] Identifying wired and wireless interfaces...
[Fri Aug 23 12:51:54 2024] Wireless interface [{FBE6ACB5-7B7D-4709-BFD1-7850CE089CA9}] will be configured...

Thanks for any help!

Re: ISE - unable to onboard Lenovo laptops

Mark Elsen — Fri, 23 Aug 2024 11:44:00 GMT

- Is there perhaps any (other) firewalling local active or for instance more enhanced win11 firewalling settings on the Lenovo's w.r.t other devices ?

Re: ISE - unable to onboard Lenovo laptops

B A — Fri, 23 Aug 2024 12:34:23 GMT

Thanks for the suggestion but I don't see anything. Windows Firewall and antivirus are turned off but it makes no difference.

Re: ISE - unable to onboard Lenovo laptops

Mark Elsen — Fri, 23 Aug 2024 13:05:57 GMT

- Just asking : anything special like lenovo proprietary firewalling for windows 11 ?

Re: ISE - unable to onboard Lenovo laptops

B A — Fri, 23 Aug 2024 13:22:12 GMT

I am not aware of it.

Re: ISE - unable to onboard Lenovo laptops

Mark Elsen — Fri, 23 Aug 2024 14:02:11 GMT

- Is the Cisco-ISE version sufficiently recent , I would take >3.0 as a requirement.
+ Check if this stuff is interesting https://community.cisco.com/t5/network-access-control/ise-and-lenovo-thunderbolt-docks-ise-will-put-the-laptop-user/m-p/4051345#M559100

Re: ISE - unable to onboard Lenovo laptops

B A — Mon, 26 Aug 2024 05:46:21 GMT

ISE version is 3.1.0.518.

I also checked the link but it doesn't seem relevant to our issue.

Re: ISE - unable to onboard Lenovo laptops

Mark Elsen — Mon, 26 Aug 2024 05:56:35 GMT

- You may want to contact Cisco's TAC ,

Re: ISE - unable to onboard Lenovo laptops

ahollifield — Mon, 26 Aug 2024 11:23:30 GMT

What is the use-case to allow unmanaged/unknown endpoints onto the protected network? Why not add these machines to the domain?

topic Re: ISE - unable to onboard Lenovo laptops in Network Access Control

ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops

Re: ISE - unable to onboard Lenovo laptops