cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

542
Views
0
Helpful
8
Replies
michelbijnsdorp
Beginner

ise 1.2.0.899 CWA Windows AD based

Hi, I'm running ISE 1.2.0.899 patch 6

When a use a internal ISE user which in the Identity Group "Onboard". The guest authentication, self registration and profiling are going just great (see picture) . But when I use a AD created user which on AD is in the same "Onboard"  security group, it is authenticated but further than that I got the message" The system admin has either not configured or enabled a policy for your device". Furthermore I can see in the log that the AD user is authenticatd with Identity Group "Any".  I tried several things in the authorization in matching the memberof/ external group based on "Onboard" with or without the guest flow specified.  If I manage to get the device to registered in the Identity Endpoint and I try to match on a AD group I see that is working.

So to bottom line of this question is; if the BYOD/CYOD is not registered in the ISE ( Identity Endpoint)  which policy rule can I make so it will profile it as a android and put it as a registered device?

Does anyone know how this can be configured?  Any help is appreciated.

 

Thanks in advance,

 

Kind regards, 

 

Michel

2 ACCEPTED SOLUTIONS

Accepted Solutions

Sorry for the delay Michel. Can yo also post the screen shot of your "client provisioning" screen (Policy > Client Provisioning)

 

Thank you for rating helpful posts!

View solution in original post

Very good! Glad your issue was resolved!

View solution in original post

8 REPLIES 8
nspasov
Cisco Employee

Hi Michel-

I have a few questions:

1. What do you have configured under: Administration > System > Settings > Profiling > CoA

2. Can you post screen shots of your:

- Authorization policies

- Client provisioning policies

3. Are you saying that when using "Inter Users" the BYOD flow works fine but when using AD based users the flow breaks?

 

Thank you for rating helpful posts!

 

Hi Neno,

I was mislead by the d0t1x AuthN in my first statement, if a connection is made on d0t1x with PEAP (mschapv2) then the AuthN check in the identity source sequence (first AD ) if the user exist. This is the case so this connection is allowed by AuthZ rule: BYOD_AD_D0t1x

1. What do you have configured under: Administration > System > Settings > Profiling > CoA?

currently it is configured for: "no COA"

as the cisco documentation said:

Exemptions for Issuing a Change of Authorization:

An Endpoint Created through Guest Device Registration flow—When endpoints are created through device registration for the guests. Even though CoA is enabled globally in Cisco ISE, the profiling service does not issue a CoA so that the device registration flow is not affected. In particular, the PortBounce CoA global configuration breaks the flow of the connecting endpoint.

 

NOTE: the Exeception rule is disabled and the default AuthZ is standard eg: access denied.

 

3. Are you saying that when using "Inter Users" the BYOD flow works fine but when using AD based users the flow breaks? Yes that is correct. as can be seen below, user test99 is internal to ISE, and michelb is the user account in AD, which after a successful AuthN is stops with the message in my first post.

 

grtz Michel

Thanks for all of the info Michael. May I also ask what is your end goal here? For instance, can you draw a quick flow of what needs to happen for:

- AD based users vs internal users

- When should CWA occur vs when PEAP authentication method should be used

- How many SSIDs are you using? Single or Dual SSID for onboarding

I am still a bit confused on the full picture here. 

 

Thank you for rating helpful posts!

Hi Neno, 

If I use an internal ISE user as example. If this user will bring an BYOD/CYOD device it must be registered via CWA. Furthermore I use dual SSID, so this device is set to the correct SSID. As for an internal ISE user this is working .  So my first goal CWA device register of à BYOD/CYOD device while the CWA login user only exist in AD.

 

I hope that You have enough information? As You van see in mu previous post that this first step is not working and I was wondering If someone has Some clue why this first step is not working?

 

grtz Michel

Hi,

Yesterday I test if a sponsorall/own created useraccount will work. And that is working just fine because it is ISE internal account as mentioned in the previous posts.

 

 

grtz Michel

Sorry for the delay Michel. Can yo also post the screen shot of your "client provisioning" screen (Policy > Client Provisioning)

 

Thank you for rating helpful posts!

View solution in original post

Hi Neno,

 

After I made a adjustment as can be see below (first rule)  I tested again which is working now.  Conclusion: the "no policy enabled for your device" message points back to the client provisioning policy and not the policy set.

Thanks for your support.

 

Very good! Glad your issue was resolved!

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel