Happy holidays and upcoming new year. I'm practicing BYOD and trying to use NSP (Native Supplicant Provisioning) for a lab pc (win7 PC). After connecting to the SSID, I'm redirected to BYOD portal which wants me accept AUP and add a name and description for device registration. Cisco Network Assistant downloaded onto PC and I ran it. It started but after a while, it failed showing "Cisco secure access configuration for the TE-LIMIT network failed" message. I opened "%temp%\spwProfileLog.txt"file to see installation logs. It said that it couldn't install the certificate thus ending the wizard. I think it would be good to mention ISE configuration for more clarity:
I have a separate internal CA in my network and ISE obtained a certificate from that CA; so I am connected to the ISE securely from my management PC (not the PC which is being used on the lab).
I created a native supplicant profile "TISE-NSP"as shown below and I edited SSID to be the same as my test SSID which is used by lab pc. The certificate temple configuration is pasted too:
I used default authorization policies:
and at the end, I created a wireless profile manually on my Win 7 lab pc withthese properties: SSID: TE-LIMIT;; Security Type: WSA2-Enterprise;; PEAP with disabled "Validate Server Certificate" option;; Authentication mode: Only user authentication.
ISE and lab PC are both members of internal domain (xinmix.local).
My lab pc has access to the ISE and I can ping ISE IP address throughout the lab while I'm connected with SSID "TE-LIMIT". There is no firewall between ISE and lab PC. I just route traffic between them by a Cisco router.