cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1379
Views
5
Helpful
6
Replies

NSP not working when transitioning from wired - PEAP to wireless -TLS.

krupanch
Level 1
Level 1

I am testing wired BYOD use case wherein a user connecting to the network via wired(Switch) for the first time will be able to provision their device for wireless configuration by undergoing native supplicant provisioning. Wired authentication is via PEAP-MSCHAPv2 and certificate will be pushed on the device by ISE, and user should be able to connect to corporate SSID using EAP-TLS.

So basically we are transitioning from wired - PEAP to wireless -TLS using NSP. We can not able to configure SSID using NSP though user cert provisioned by ISE CA to endpoints getting successfully installed.

Currently using ISE 2.1 version patch 1. Request you to help with suggestion/pointers

6 Replies 6

howon
Cisco Employee
Cisco Employee

Krupa, can you post screenshot of the NSP Profile. You can go to Work Centers > BYOD > Client Provisioning, then click 'Resources' on the left side. Please take screenshot of the list and also the screen shot that shows details of the the NSP Profile in use. Thanks.

please see attached screenshots of NSP Profile and the list. Screenshot1.pngScreenshot2.pngScreenshot3.pngScreenshot4.png

Krupa, thanks for the screen shots. The configuration looks good. So when you try to associate to DB_BYOD WLAN, what happens? Do you see any logs on ISE for the wireless access?

I have been testing this use-case and getting different results with different windows platform.

I. Test use-case with windows 7:

          When the user joins the network first time via wired(Switch), they are able to provision their device for wireless configuration by undergoing native supplicant provisioning. Also, certificate gets pushed by ISE for EAP-TLS authentication with wireless.

But when the user tries associating with DB_WLAN, it is unable to join the network as it is not able to fetch the certificate from the certificate store pushed by ISE.(I verified the certificate in Windows certificate store)

Also, I am able to see the wireless logs on ISE, but it gets denied access due to the error mentioned above.



II. Test use-case with windows 10:

          Same procedure followed on windows 10 machine by the user as with windows 7 machine, while getting associated with wireless DB_WLAN, it is able to successfully authenticate using the certificate but it gets authenticated using computer hostname but not username as per the setting shown above in the screenshot for wireless NSP.


Currently I am using ISE 2.1 version with patch 3. Request you for recommendations/pointers.


         

Krupa, in the case of Windows 7, what is the actual failed login see from the ISE live log? For the Windows 10, it doesn't make sense that the endpoint is authenticating via machine credential when the setting is configured to use user credential, let alone why the PC even has a machine certificate to begin with. If you want, contact me directly at howon@cisco.com and I can setup a webex to take a look. Thanks.

Hi Hosuk,

Thanks for your reply. I have sent you email regarding the same.