Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
0
Helpful
5
Replies

BYOD Onboarding issue with Redirects on ISE 1.2

mark373737
Level 1
Level 1

‎12-23-2014 11:03 AM - edited ‎03-10-2019 10:18 PM

Hi there,

I'm having intermittent issues with onboarding endpoints (both wired and wireless) with ISE 1.2 (Patch 12).

I get three differing scenarios upon attempting:

1). I get redirected to the ISE Self Registration Portal, register, download the supplicant OK and then can browse with no problems.

2) I dont get redirected at all and so never see the Self Registration portal. All browsing tries to go to the selected website and fails (presumably as the redirect URL is in place even if the browser is not "seeing" it). If I force the browser URL to to ISE I get the Self Registration Portal displayed but with no MAC details present so I can get no further.

3) I get redirected, and seemingly Register OK, download the profiles etc...but after a "Registered Sucessfully" message, any attempt to browse to external website is again redirected to the Portal. I can then re-register again (it lets me do that as if the first time) but I just end up in that loop forever.

These problems are mostly seen wirelessly (I have a WLC 5508) but also wired clients via 3850 wired ports. I am using a collection of endpoints (Andorid, IPads, Laptops) to test and de-registering them between attempts and the results are entirely random among the three scenarios.

I am not changing any policies in between attempts so they are working fine at times, and not at others.

Any help welcome!

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎12-29-2014 01:06 AM

Can you post some screen shots of:

1. AAA rules

2. Client provisioning rules

3. Authorization results

4. ACLs in the WLC

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

mark373737
Level 1
Level 1
In response to nspasov

‎12-31-2014 09:19 AM

Hi Neno,

Thanks for your reply. I have attached some info as requested. For AuthZ rules they should first hit an EAP-MSCHAPv2 rule via the secure SSID which redirects them to the NSP process and gives them an ACL on the WLC that only allows DHCP, DNS and traffic to from ISE.

Afterward registration they should then get a certificate and then after a COA reauthenticate using EAP-TLS.

All this works fine at times, but at other times Web traffic NEVER gets redirected to ISE to begin the registration process or alternatively endpoints are STUCK in a circle of registration in that the th redirect works OK and you register OK but the redirect is permanently on and you keep getting asked to re-register your device despite the fact you have already done it once.

If you can avoid either of these scenarios, it works absolutely fine. It feels like the endpoints themselves are the issue, as I am using a small set of test devices to register (and then de-register) to test with.

However the same device that wont work at all for many many attempts, will eventually suddenly work OK and the BYOD process completes. I do however seem to have a permanent problem with Surface Pro's in that I can never get them to see the redirect at all.

 

Preview file
20 KB
Preview file
15 KB
Preview file
13 KB
Preview file
12 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to mark373737

‎12-31-2014 12:21 PM

So I had very similar issue and was able to fix it by not using the "AuthenticationMethod" condition in my rules. Instead, I had to replace it with "EapAuthentication." So basically:

I originally had:

AuthenticationMethod = MSCHAPV2
&
AuthenticaitonMethod = x509_PKI

Then I replaced it with:

EapAuthentication = EAP-MSCHAPv2
&
EapAuthentication = EAP-TLS

I am not sure what the difference is but when I was troubleshooting it I noticed that when the process was failing the session did not include the correct "AuthenticationMethod." I tried to do some more research but came back empty. At the end I gave up since the issue was resolved...

So try that and let me know if the issue goes away.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

mark373737
Level 1
Level 1
In response to nspasov

‎03-20-2015 03:12 AM

Hi Neno,

Apologies for not responding to your kind help. Yes this made a difference to me too. I'm not sure why but many thanks for taking the time to post.

Now have some other issues which I am about to post but thanks again!

 

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to mark373737

‎03-23-2015 10:06 AM

No problem! Glad I was able to help! I did try to research what is difference between the two methods but came back with nothing.

If your issue is resolved please mark the thread as "answered" :)

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents