02-15-2017 04:31 PM
I am testing wired BYOD use case wherein a user connecting to the network via wired(Switch) for the first time will be able to provision their device for wireless configuration by undergoing native supplicant provisioning. Wired authentication is via PEAP-MSCHAPv2 and certificate will be pushed on the device by ISE, and user should be able to connect to corporate SSID using EAP-TLS.
So basically we are transitioning from wired - PEAP to wireless -TLS using NSP. We can not able to configure SSID using NSP though user cert provisioned by ISE CA to endpoints getting successfully installed.
Currently using ISE 2.1 version patch 1. Request you to help with suggestion/pointers
02-16-2017 11:30 AM
Krupa, can you post screenshot of the NSP Profile. You can go to Work Centers > BYOD > Client Provisioning, then click 'Resources' on the left side. Please take screenshot of the list and also the screen shot that shows details of the the NSP Profile in use. Thanks.
02-17-2017 08:45 AM
please see attached screenshots of NSP Profile and the list.
02-17-2017 10:14 AM
Krupa, thanks for the screen shots. The configuration looks good. So when you try to associate to DB_BYOD WLAN, what happens? Do you see any logs on ISE for the wireless access?
02-28-2017 02:53 PM
I have been testing this use-case and getting different results with different windows platform.
I. Test use-case with windows 7:
When the user joins the network first time via wired(Switch), they are able to provision their device for wireless configuration by undergoing native supplicant provisioning. Also, certificate gets pushed by ISE for EAP-TLS authentication with wireless.
But when the user tries associating with DB_WLAN, it is unable to join the network as it is not able to fetch the certificate from the certificate store pushed by ISE.(I verified the certificate in Windows certificate store)
Also, I am able to see the wireless logs on ISE, but it gets denied access due to the error mentioned above.
II. Test use-case with windows 10:
Same procedure followed on windows 10 machine by the user as with windows 7 machine, while getting associated with wireless DB_WLAN, it is able to successfully authenticate using the certificate but it gets authenticated using computer hostname but not username as per the setting shown above in the screenshot for wireless NSP.
Currently I am using ISE 2.1 version with patch 3. Request you for recommendations/pointers.
03-01-2017 06:35 AM
Krupa, in the case of Windows 7, what is the actual failed login see from the ISE live log? For the Windows 10, it doesn't make sense that the endpoint is authenticating via machine credential when the setting is configured to use user credential, let alone why the PC even has a machine certificate to begin with. If you want, contact me directly at howon@cisco.com and I can setup a webex to take a look. Thanks.
03-01-2017 09:43 AM
Hi Hosuk,
Thanks for your reply. I have sent you email regarding the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide