Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
5
Helpful
6
Replies

NSP not working when transitioning from wired - PEAP to wireless -TLS.

krupanch
Level 1
Level 1

‎02-15-2017 04:31 PM

I am testing wired BYOD use case wherein a user connecting to the network via wired(Switch) for the first time will be able to provision their device for wireless configuration by undergoing native supplicant provisioning. Wired authentication is via PEAP-MSCHAPv2 and certificate will be pushed on the device by ISE, and user should be able to connect to corporate SSID using EAP-TLS.

So basically we are transitioning from wired - PEAP to wireless -TLS using NSP. We can not able to configure SSID using NSP though user cert provisioned by ISE CA to endpoints getting successfully installed.

Currently using ISE 2.1 version patch 1. Request you to help with suggestion/pointers

6 Replies 6

howon
Cisco Employee
Cisco Employee

‎02-16-2017 11:30 AM

Krupa, can you post screenshot of the NSP Profile. You can go to Work Centers > BYOD > Client Provisioning, then click 'Resources' on the left side. Please take screenshot of the list and also the screen shot that shows details of the the NSP Profile in use. Thanks.

0 Helpful

krupanch
Level 1
Level 1
In response to howon

‎02-17-2017 08:45 AM

please see attached screenshots of NSP Profile and the list. Screenshot1.pngScreenshot2.pngScreenshot3.pngScreenshot4.png

0 Helpful

howon
Cisco Employee
Cisco Employee
In response to krupanch

‎02-17-2017 10:14 AM

Krupa, thanks for the screen shots. The configuration looks good. So when you try to associate to DB_BYOD WLAN, what happens? Do you see any logs on ISE for the wireless access?

0 Helpful

krupanch
Level 1
Level 1
In response to howon

‎02-28-2017 02:53 PM

I have been testing this use-case and getting different results with different windows platform.

I. Test use-case with windows 7:

          When the user joins the network first time via wired(Switch), they are able to provision their device for wireless configuration by undergoing native supplicant provisioning. Also, certificate gets pushed by ISE for EAP-TLS authentication with wireless.

But when the user tries associating with DB_WLAN, it is unable to join the network as it is not able to fetch the certificate from the certificate store pushed by ISE.(I verified the certificate in Windows certificate store)

Also, I am able to see the wireless logs on ISE, but it gets denied access due to the error mentioned above.



II. Test use-case with windows 10:

          Same procedure followed on windows 10 machine by the user as with windows 7 machine, while getting associated with wireless DB_WLAN, it is able to successfully authenticate using the certificate but it gets authenticated using computer hostname but not username as per the setting shown above in the screenshot for wireless NSP.


Currently I am using ISE 2.1 version with patch 3. Request you for recommendations/pointers.


         

0 Helpful

howon
Cisco Employee
Cisco Employee
In response to krupanch

‎03-01-2017 06:35 AM

Krupa, in the case of Windows 7, what is the actual failed login see from the ISE live log? For the Windows 10, it doesn't make sense that the endpoint is authenticating via machine credential when the setting is configured to use user credential, let alone why the PC even has a machine certificate to begin with. If you want, contact me directly at howon@cisco.com and I can setup a webex to take a look. Thanks.

0 Helpful

krupanch
Level 1
Level 1
In response to howon

‎03-01-2017 09:43 AM

Hi Hosuk,

Thanks for your reply. I have sent you email regarding the same.

0 Helpful
Customers Also Viewed These Support Documents