topic Secure access configuration for the ethernet failed in Network Access Control

Secure access configuration for the ethernet failed

iores — Sun, 24 Nov 2024 21:50:15 GMT

Hi,

I am trying to configure wired BYOD dot1x onboarding.

However, when the client downloads and starta Network Setup Assistant, I always get the sam error: "Secure access configuration for the ethernet failed".

Did anyone experienced the sam issus and how did you solve it?

I am using ISE 3.0 with WinSPWizard 3.0.0.2. The client is Win 11 with admin rights.

Re: Secure access configuration for the ethernet failed

Arne Bier — Tue, 26 Nov 2024 20:17:31 GMT

Not sure of that old version of ISE - it's best to at least patch ISE 3.0 or upgrade to 3.3 latest patch, and then try again. What does TAC say about this?

Re: Secure access configuration for the ethernet failed

iores — Thu, 28 Nov 2024 18:46:48 GMT

@Arne Bier Did not contact TAC yet. Could it be done with AnyConnect instead of WinSPWizard? I want client to get the certificate from ISE CA, and then to perform EAP TLS.

Re: Secure access configuration for the ethernet failed

Arne Bier — Thu, 28 Nov 2024 20:32:41 GMT

I don't see a lot of BYOD in my customer base, and I don't personally use it, or have much time/desire to play with this in the lab. It's always been fiddly and troublesome when new OSs are released. I think it's wise to upgrade the ISE to something more recent than 3.0 because you can't keep track of all the bugs and enhancement - best to aim higher and then work with the remaining issues that come up.

If you just have a single endpoint (or a few endpoints) then you could onboard them using the Self Provisioning Portal. But the user must have access to the ISE GUI. Users can login to the web interface of the Self Provisioning Portal with their AD creds, and then ISE will generate them a certificate they can download and install manually, along with the ISE CA certs. For remote users, they could probably enrol themselves while they are on the VPN. As far as using AnyConnect to onboard into ISE, that's not supported or possible, as far as I know. The other method would be to use an MDM instead of ISE.

Re: Secure access configuration for the ethernet failed

iores — Sat, 30 Nov 2024 13:19:17 GMT

@Arne Bier For certificate enrollments, do you mean the certificate provisioning portal where the client needs to enter all relevant certificate fields (CN...) or you had something else on your mind?

Re: Secure access configuration for the ethernet failed

Arne Bier — Mon, 02 Dec 2024 01:11:31 GMT

Yep that was my thinking - You don't have a lot of control over the cert creation, other than CN and MAC address. ISE will force the user to enter the same value in the CN that matches the username they used to login to the portal - so the user can't create arbitrary CNs. But the MAC address is somewhat open - but even if it's garbage, you don't need to look at the SAN of that cert (that's where the MAC address ends up in)