ISE upgrade 1.2: Self-provisioning portal not working

Luigi Gangitano · ‎09-20-2013

Hi all,

I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf

Screenshot of page is attached:

I've checked ise-console.log application log file and found two errors correponding to the first page:

[portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.

[portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)

and the second (not working) one:

[portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException

[portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)

Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.

Can somebody please help?

Thanks,

L

harvisin · ‎09-21-2013

Hello Luigi,

Have you deleted the old cerificates and the requests as it may be the possible reason which might be causing this issue.

Luigi Gangitano · ‎09-24-2013

Yes, I did. And I've just repeated the procedure without luck. New CSR/certificate and same error.

Luigi Gangitano · ‎09-24-2013

I solved it removing all the certificates from the store (ISE certs and CA certs) and repeating configuration from scratch.

Since this setup is a two node cluster, is there any way I can do the same procedure on secondary node? I cannot find the CA cert anymore on the second node.

blenka · ‎09-27-2013

Errors When Adding Devices to My Devices Portal

Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.

If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.

If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.

For more information on self-provisioning.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
For more information on self-provisioning.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html