Error when trying to install windows network assistant for self

Brian McPhillips · ‎08-02-2013

im trying to test windows self provisioning using the windows supplicant on ISE v 1.1.3 with a windows 8 laptop

I get the redirection page and can launch the installer. I accept the cert prompts when prompted by the installer. The network assistant keeps failing half way through with the message "secure access configuration for the SSID network failed"

Anyone else seen this?

i have tried all 4 wizards available 1.0.0.22/23/33/34 and cannot get past this error

Marcin Latosiewicz · ‎08-05-2013

This reminds me of:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud05296

1.0.0.26 should have the fix, open up a TAC case, we need to look into this.

Brian McPhillips · ‎08-12-2013

Thanks Marcin, its actually a proof of concept we are doing on behalf of Cisco for a customer, i will need to get our Cisco rep to verify we can tac this.

is that version 1.0.0.26 available to download? I cant see it on the download portal on ise or the Cisco website?

Marcin Latosiewicz · ‎08-13-2013

Brian,

.34 should contain fix to what I was indicating (AFAIU). As I said - my suggestion is to dig into this via a TAC case.

M.

blenka · ‎08-05-2013

find the file and go through the page 624 to 625 & 866 to 868 the step may help you to address the solution.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

Brian McPhillips · ‎08-12-2013

Hi Basant, i think the setup should be fine regarding those pages you suggested. we have apple ipads and iphone which can register fine

David Boos · ‎08-13-2013

Can you post the authentication logs for the device? That may be helpful.

Brian McPhillips · ‎08-15-2013

Theres the screenshot

Brian McPhillips · ‎08-15-2013

ise logs attached. not much there it just shows that I get stuck at the redirect to enroll as the assistant crashes. Il get a tac logged today also.

Tarik Admani · ‎08-15-2013

Hi,

Can you post screenshots of your windows and apple-ios supplicant provisioning profiles. Also there is a document that was written that forces java crl checks. See if this doc provides any use.

https://supportforums.cisco.com/docs/DOC-35333

Tarik Admani
*Please rate helpful posts*

Brian McPhillips · ‎08-15-2013

Thanks Tarik, i can get through the java browser prompts ok and accept them. screen shots below. I am going to log a tac and see what happens. i will report back.

Tarik Admani · ‎08-15-2013

Brian,

Can you break apart your native supplicant profiles into separate policies for windows, apple, and android. I am curious to see if that changes your results. I also see that the name isnt appearing as well in the screenshot you provided. Set the OS to windows ALL. There is a bug for windows 8 users that seems to be solved with the ise 1.2 release notes and the SPW.

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp378491

thanks,

Tarik Admani
*Please rate helpful posts*

shekharmore003 · ‎08-19-2013

Brian,

Are you using SCEP for certificate enrollment?

Brian McPhillips · ‎08-20-2013

Hi All,

Turned out to be an ACL issue. Someone else set it up before me so they can take the blame!

The tac engineer setup a rule to allow any any outbound from the wlc towards the client. It was mainly to allow ports 8905 and 8909 talk back to the endpoint.

He also pointed me towards this file %temp%\spwProfileLog.txt which logs the setup assistant installer in case anyone else has issues..

Thanks for all the help guys

sang-l · ‎09-15-2014

Hi brianpmcp !

I have problem the same with you. I checked my ACL have rule allow any any outbound from WLC.

172.16.2.212 is my ise.

but when connect to open SSID (Mac filtering) and run cisco network setup assitant have error the same your error.

when I check spwprofileLog.

[Mon Sep 15 15:57:44 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Mon Sep 15 15:57:44 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Mon Sep 15 15:57:44 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Mon Sep 15 15:57:48 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Mon Sep 15 15:57:48 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Mon Sep 15 15:57:48 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Mon Sep 15 15:57:53 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Mon Sep 15 15:57:53 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Mon Sep 15 15:57:53 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Mon Sep 15 15:57:57 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Mon Sep 15 15:57:57 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Mon Sep 15 15:57:57 2014] Failed to get certificate from server - Error: [2]

[Mon Sep 15 15:57:57 2014] Failed to generate scep request. Error code: [0]
[Mon Sep 15 15:57:57 2014] ApplyCert - End...
[Mon Sep 15 15:57:57 2014] Failed to configure the device.
[Mon Sep 15 15:57:57 2014] ApplyProfile - End...

Can you help me fix error.

Thanks !

Error when trying to install windows network assistant for self provisioning