cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
8
Replies

ISE - unable to onboard Lenovo laptops

B A
Level 1
Level 1

Hello everyone, I would like to ask for your help with a strange issue.

We currently have several BYOD devices that are not in the domain and we need to onboard them. These are all Lenovo laptops. They will connect to the network via username and password and successfully download the Network Setup Assistant via the BYOD portal as expected. When I run Network Setup Assistant, I see that the profile is being downloaded but in a few seconds it stops and says . "Failed to discover ISE. Reconnect to the network and try again".

 

scr2.png

I don't know how to troubleshoot this at all. When I do the same thing on a Dell laptop, it means I start the Network Setup Assistant, the process goes successfully to the end. We updated Windows OS, drivers, and also checked certificates but we cannot figure out where the problem is. The latest Windows 11 is installed. But this happens only with Lenovo with Windows 11. Dell with Windows 11 and Lenovo with Windows 10 work perfectly. 

The content of spwProgileLog is here:

[Fri Aug 23 12:51:48 2024] Logging started
[Fri Aug 23 12:51:48 2024] SPW Version: 3.0.0.3
[Fri Aug 23 12:51:48 2024] System locale is [en]
[Fri Aug 23 12:51:48 2024] Loading messages for english...
[Fri Aug 23 12:51:48 2024] Initializing profile
[Fri Aug 23 12:51:49 2024] Found 2 interfaces
[Fri Aug 23 12:51:49 2024] Found 0 interfaces
[Fri Aug 23 12:51:49 2024] SPW is running as High integrity Process - 12288
[Fri Aug 23 12:51:49 2024] GetProfilePath: searched path = C:\Users\Admin\AppData\Local\Temp\ for file name = spwProfile.xml result: 0
[Fri Aug 23 12:51:49 2024] GetProfilePath: searched path = C:\Users\Admin\AppData\Local\Temp\Low for file name = spwProfile.xml result: 0
[Fri Aug 23 12:51:51 2024] Profile xml not found Downloading profile configuration...
[Fri Aug 23 12:51:51 2024] Downloading profile configuration...
[Fri Aug 23 12:51:51 2024] Discovering ISE using default gateway
[Fri Aug 23 12:51:52 2024] Identifying wired and wireless network interfaces, total active interfaces: 0
[Fri Aug 23 12:51:52 2024] DiscoverISE - start
[Fri Aug 23 12:51:52 2024] DiscoverISE input parameter : strUrl [http://enroll.cisco.com/auth/discovery/]
[Fri Aug 23 12:51:52 2024] [HTTPConnection] CrackUrl: host = enroll.cisco.com, path = /auth/discovery/, user = , port = 80, scheme = 3, flags = 0
[Fri Aug 23 12:51:52 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:52 2024] HTTP Response header: [HTTP/1.1 200 OK
Location: https://ISEserver.ourdomain.local:8443/portal/gateway?sessionId=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad&redirect=enroll.cisco.com/auth/discovery/
Content-Type: text/html
Content-Length: 476

] HTTP Content: [<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://ISEserver.ourdomain.local:8443/portal/gateway?sessionId=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad&redirect=enroll.cisco.com/auth/discovery/"></HEAD></HTML>
]
[Fri Aug 23 12:51:52 2024] getUrlFromResponse - Server response body lower case [<html><head><title> web authentication redirect</title><meta http-equiv="cache-control" content="no-cache"><meta http-equiv="pragma" content="no-cache"><meta http-equiv="expires" content="-1"><meta http-equiv="refresh" content="1; url=https://ISEserver.ourdomain.local:8443/portal/gateway?sessionid=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad&redirect=enroll.cisco.com/auth/discovery/"></head></html>
]
[Fri Aug 23 12:51:52 2024] getUrlFromResponse - returning url extracted from meta tag [https://ISEserver.ourdomain.local:8443/portal/gateway?sessionId=c0a867450023f31666c86713&portal=ad69d838-621f-494d-ba60-47febae4dbdf&action=nsp&token=6b41892bc450f9cca02c510754db37ad]
[Fri Aug 23 12:51:52 2024] Discovered ISE - : [ISEserver.ourdomain.local, sessionId: c0a867450023f31666c86713]
[Fri Aug 23 12:51:52 2024] DiscoverISE - end
[Fri Aug 23 12:51:52 2024] Discovered ISE using cisco url: [http://enroll.cisco.com/auth/discovery/]
[Fri Aug 23 12:51:52 2024] Successfully Discovered ISE: ISEserver.ourdomain.local, session id: c0a867450023f31666c86713, macAddress:
[Fri Aug 23 12:51:52 2024] GetProfile - start
[Fri Aug 23 12:51:52 2024] [HTTPConnection] CrackUrl: host = ISEserver.ourdomain.local, path = /auth/provisioning/evaluate?typeHint=SPWConfig&referrer=Windows&spw_version=3.0.0.3&session=c0a867450023f31666c86713&os=Windows All, user = , port = 8905, scheme = 4, flags = 8388608
[Fri Aug 23 12:51:52 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:53 2024] Warning - [HTTPConnection:RetrySendRequest] InternetOpen() failed with code: [12057], msg: [It was not possible to connect to the revocation server or a definitive response could not be obtained.
]
[Fri Aug 23 12:51:53 2024] [HTTPConnection] All CRL Checks are off
[Fri Aug 23 12:51:53 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:53 2024] Received redirect to location null
[Fri Aug 23 12:51:53 2024] [HTTPConnection] CrackUrl: host = ISEserver.ourdomain.local, path = /auth/provisioning/download/e35e7769-8a5e-4c4a-a454-ac0262f9f0bb/NSA_BYOD_EXT.xml?sessionId=c0a867450023f31666c86713&os=WINDOWS_10_ALL, user = , port = 8443, scheme = 4, flags = 8388608
[Fri Aug 23 12:51:53 2024] [HTTPConnection] HttpSendRequest: header = Accept: */*
headerLength = 12 data = dataLength = 0
[Fri Aug 23 12:51:53 2024] GetProfile - end
[Fri Aug 23 12:51:53 2024] Successfully retrieved profile xml
[Fri Aug 23 12:51:53 2024] using V2 xml version
[Fri Aug 23 12:51:53 2024] parsing wireless connection setting
[Fri Aug 23 12:51:53 2024] Certificate template: [keytype:RSA, keysize:2048, subject:OU=XXX;O=XXX;L=XXX;ST=XXX;C=XXX, SAN:MAC]
[Fri Aug 23 12:51:53 2024] set ChallengePwd
[Fri Aug 23 12:51:53 2024] Starting parsing proxy configuration
[Fri Aug 23 12:51:53 2024] ProxySettings key was not found in the configuration xml
[Fri Aug 23 12:51:53 2024] found redirect URL: https://www.domain.com
[Fri Aug 23 12:51:53 2024] Identifying wired and wireless network interfaces, total active interfaces: 0
[Fri Aug 23 12:51:53 2024] WirelessProfile::StartWLanSvc - Start
[Fri Aug 23 12:51:54 2024] Wlansvc service is in Auto mode ...
[Fri Aug 23 12:51:54 2024] Wlansvc is running in auto mode...
[Fri Aug 23 12:51:54 2024] WirelessProfile::StartWLanSvc - End
[Fri Aug 23 12:51:54 2024] Found [1] wireless interfaces ...
[Fri Aug 23 12:51:54 2024] Wireless interface 1 - Desc: [Qualcomm FastConnect 6900 Wi-Fi 6E Dual Band Simultaneous (DBS) WiFiCx Network Adapter], Guid: [{FBE6ACB5-7B7D-4709-BFD1-7850CE089CA9}]...
[Fri Aug 23 12:51:54 2024] Wireless interface - Mac address: 8C-3B-4A-4E-EC-6A
[Fri Aug 23 12:51:54 2024] Identifying wired and wireless interfaces...
[Fri Aug 23 12:51:54 2024] Wireless interface [{FBE6ACB5-7B7D-4709-BFD1-7850CE089CA9}] will be configured...

Thanks for any help!

8 Replies 8

marce1000
VIP
VIP

 

  - Is there perhaps any (other) firewalling local active or for instance more enhanced win11 firewalling settings on the Lenovo's w.r.t other devices ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thanks for the suggestion but I don't see anything. Windows Firewall and antivirus are turned off but it makes no difference.

 

  - Just asking : anything special like lenovo proprietary firewalling for windows 11 ? 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I am not aware of it.

 

    - Is the Cisco-ISE version sufficiently recent , I would take >3.0 as a requirement.
    + Check if this stuff is interesting https://community.cisco.com/t5/network-access-control/ise-and-lenovo-thunderbolt-docks-ise-will-put-the-laptop-user/m-p/4051345#M559100

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ISE version is 3.1.0.518.

I also checked the link but it doesn't seem relevant to our issue.

 

         - You may want to contact Cisco's TAC , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

What is the use-case to allow unmanaged/unknown endpoints onto the protected network?  Why not add these machines to the domain?