Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
4
Replies

Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

jay.kishan
Level 1
Level 1

‎03-12-2014 10:55 PM - edited ‎03-10-2019 09:31 PM

 

Dear experts,

 

We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.

The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.

 

All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.


Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.

 

Thanks in advance.

Jay

Labels:
0 Helpful
4 Replies 4

Muhammad Munir
Level 5
Level 5

‎03-16-2014 10:19 PM

Hi,

FYI

The user or device may not be supplying the correct credentials or RADIUS key to match with the external authentication source.

Please make sure and verify that the user credentials that are entered on the client machine are correct, and verify that the RADIUS server shared secret is correctly configured in both the NAD and Cisco ISE (they should be the same).

0 Helpful

raun.williams
Level 3
Level 3

‎03-17-2014 08:20 PM

Hello,

I'm curious as to who you have your WLAN and Security setup.  I am trying to do single ssid onboarding as well.  Initially I would connect with PEAP, authed upon inital connection. Then when opening safari I'm redirected to the guest login page.  If i enter the username and password again, I don't seem to go anywhere.  Sounds like a similiar issue.

0 Helpful

jay.kishan
Level 1
Level 1
In response to raun.williams

‎03-17-2014 09:20 PM

Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.

The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.

 

Anyways, thanks for all the support.

0 Helpful

Jesus Orellana
Level 1
Level 1

‎05-20-2014 08:41 AM

As advice, please, downgrade your WLC, this version 7.5 has several bug. The version 7.4 is more stable

 

Regards

0 Helpful
Customers Also Viewed These Support Documents