05-13-2021 11:49 PM
Hello Team,
We have ,
Dual SSID BYOD set up – “XYZ-OPEN” open SSID for onboarding, and “ABC-Employee-Register” for BYOD Registered devices
- Internal ISE CA for SCEP / BYOD Client Certificates
- Certs issued with MAC-in-SAN, and users advised to disable “Private IP address” feature for onboard & Staff-register Wifi networks
- Wildcard for Web Portal Certificates signed by XYZ CA
- Corporate PKI Signed EAP Certificate per PSN for 802.1x network
This process works fine for Windows, Mac OS & iOS devices.
Android phones are failing as per below process:-
User associates to Open “XYZ-OPEN” SSID and is redirected to Web Auth portal
[NOTE – we use Profiling rules to match OS / device type and apply appropriate WLAN ACL to session base on iOS / Android etc]
[NOTE - Our devices have Cisco NSA already present]
- No Wifi profile is downloaded or configured
- Only one password prompt is given
- No Certificates are deployed to the device
FYI – During the process:
- ISE Live Logs show EST Successful Authentication
- ISE CA shows a Certificate is issued to the device
and I am getting the below error in Radius/Client provisioning logs..
11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed
Versions:
Cisco ISE v3.0 Patch 2
Posture: Cisco conditions version 270631.0.0.0
Cisco AV/AS support chart version for windows 245.0.0.0
Cisco AV/AS support chart version for Mac OSX 164.0.0.0
Cisco supported OS version 56.0.0.0
Profiler Update: Latest applied feed occured on: last weekT
Android Device [test device]
OS: Android 10
Device: Samsung Galaxy S10
Android Cisco Network Setup Assistant version: v3.1.4 [latest]
05-16-2021 04:16 PM
Was this working with an earlier version of ISE and appears to be broken by an upgrade to ISE 3.0, or is this is a completely new setup that is failing?
If it was working before and broke after an upgrade to 3.0, it would be best to open a TAC case to investigate.
If this is a new setup that is failing, you might compare your configuration with the info in the following links:
Some of the logs you posted may also be of interest...
"11215 No response has been received from Dynamic Authorization Client in ISE" seems to indicate that the WLC is not responding to the CoA. Confirm that you have Support for CoA (or RFC 3576, depending on the WLC code version) enabled on the SSIDs.
"11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed" seems to indicate that the Allowed Protocols list may not allow the EAP method that the supplicant is trying to use. You might want to confirm your Allowed Protocols list and CAP are configured correctly.
If all else fails (or for faster resolution), you may want to open a TAC case to investigate further.
03-02-2022 03:21 AM
Hi,
I have very similiar issue. Have you found the solution?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: