Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2791
Views
1
Helpful
4
Replies

BYOD NSP failed for Windows 7, iPhone and MacBook, but Android succeeded

Go to solution
dicmupha
Cisco Employee
Cisco Employee

‎01-30-2018 08:48 PM

Hi, I'm doing a ISE POV for my customer with BYOD as one of the feature to demo. "Secure access configuration for the network failed" error was returned on the network setup assistance application (with screenshot below). I've checked on the certificate store on Windows, ISE's CA self-signed cert was pushed down but not the User Cert.

Screen Shot 2018-01-31 at 12.38.13 PM.png

spwProfileLog file shows as below, indicating that the NSP process failed to configure the device due to certificate installation failure. However it works fine on Android mobile phone.

Screen Shot 2018-01-31 at 12.40.26 PM.png

Appreciate if anyone can shed some light to this..

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dicmupha
Cisco Employee
Cisco Employee
In response to hslai

‎02-04-2018 08:01 AM

Thanks @hslai ! I managed to dig into ISE debug logs, where I found these logs and resolve the problem by replacing ISE root CA certificate chain.

2018-02-02 15:48:06,365 DEBUG  [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Found incoming certifcate request for internal CA. Increasing Cert Request counter.

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- before casting object to transaction

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- object is an instance of TransactionInfo

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- after casting object to transaction inside loop 0

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.mnt.dbms.handler.DataSourceReInitializingHandler -::::- object is an instance of TransactionInfo

2018-02-02 15:48:06,379 DEBUG  [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Key type is RSA, retrieving ScepCertRequestProcessor for caProfileName=ISE Internal CA

2018-02-02 15:48:06,379 DEBUG  [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertRequestValidator -::::- Session user has been set to = srv_isepoc

2018-02-02 15:48:06,379 WARN   [https-jsse-nio-172.25.89.244-8443-exec-10][] com.cisco.cpm.scep.ScepCertRequestProcessor -::::- No live PKI server found for certificate request [C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=srv_isepoc]

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-31-2018 04:53 PM

Your log file looks like ISE not issuing the client certificate but we won't know more until looking at the ISE debug logs with pertinent components in DEBUG. It's best for you to engage Cisco TAC to troubleshoot. Else, you may take a look at the existing ISE dCloud labs and try your clients there.

Attached is a spwProfileLog.txt from a Win-7 client successfully performed a BYOD on its wired connection (MAB -> CWA -> BYOD -> EAP-TLS).

WiredBYOD-spwProfileLog.txt.zip

Go to solution
dicmupha
Cisco Employee
Cisco Employee
In response to hslai

‎02-04-2018 08:01 AM

Thanks @hslai ! I managed to dig into ISE debug logs, where I found these logs and resolve the problem by replacing ISE root CA certificate chain.

2018-02-02 15:48:06,365 DEBUG  [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Found incoming certifcate request for internal CA. Increasing Cert Request counter.

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- before casting object to transaction

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- object is an instance of TransactionInfo

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- after casting object to transaction inside loop 0

2018-02-02 15:48:06,368 INFO   [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.mnt.dbms.handler.DataSourceReInitializingHandler -::::- object is an instance of TransactionInfo

2018-02-02 15:48:06,379 DEBUG  [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Key type is RSA, retrieving ScepCertRequestProcessor for caProfileName=ISE Internal CA

2018-02-02 15:48:06,379 DEBUG  [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertRequestValidator -::::- Session user has been set to = srv_isepoc

2018-02-02 15:48:06,379 WARN   [https-jsse-nio-172.25.89.244-8443-exec-10][] com.cisco.cpm.scep.ScepCertRequestProcessor -::::- No live PKI server found for certificate request [C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=srv_isepoc]

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dicmupha

‎02-04-2018 08:14 AM

I am glad it now working for you. Thanks a lot for the update.

0 Helpful

Go to solution
gurbinder.kabbay
Level 1
Level 1
In response to dicmupha

‎04-01-2020 12:59 AM

Hi Dicumpha,

 

How I can change the ISE root CA certificate chain.what are the steps, any documentation or customize steps you have, please share.

it I am facing same issue for wired users.

 

Thanks

Garry

112 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents