Solved: Unable to install Cisco NAC agent in BYOD provisioing

gurbinder.kabbay · ‎03-30-2020

Hi,

I am unable to install Cisco NAC agent during BYOD provisioning. So far i have done as below:

1. BYOD portal is opening after generating the http traffic.

2. able to login into BYOD portal through AD username.

3. able to download the NAC agent from ISE.

4. when I am installing the NAC its giving me options like Yes/No and view the certificate. when i am installing it its giving me error : "Secure Access configuration for the network is failed."

please suggest me, how I can fix it.

Thanks

Garry

thomas · ‎03-31-2020

You should NEVER use self-signed certificates since your endpoints will never trust a self-signed certficate.

Use a CA-signed certificate like you had previously.

No idea what endpoint OS you are using.

You should look at the debug logs as was suggested and contact TAC for further debugging.

View solution in original post

Cristian Matei · ‎03-30-2020

Hi,

The exact same problem seems to be fixed by replacing ISE Root CA Certificate Chain. See here. What ISE version and patch level are you running?

Regards,

Cristian Matei.

gurbinder.kabbay · ‎03-31-2020

Hi,

My ISE version is 2.6.0.156.

Patch information is none.

Role Standalone.

Thanks

Garry

Cristian Matei · ‎03-31-2020

Hi,

Can you try reconfiguring the CA, and apply the latest ISE 2.6 patch, i think it's patch 5.

Regards,

Cristian Matei.

gurbinder.kabbay · ‎03-31-2020

Hi,

I cannot upgrade the patch, I dont have rights to do it. I have full access but I cant do it without permission from someone.

Now I am facing a new problem. when portal is pushing and i am try to open it by click the message "site is not secure " and i am clicking on continue. its not offering me "proceed anyway". It is saying that "Your PC doesnt not trust this website's security certificate". I cannot open BYOD portal.

previously when i was using CA signed system certificate on ISE(for EAP, ADMIN, portal, DTLS). it was opening. after that i switched to self generated certificate on ISE (for EAP, ADMIN, portal, DTLS) in system certificates. and then its started give me this error "Your PC doesnt not trust this website's security certificate". Now I again switched to old system certificate (signed by CA). but still i am unable to open BYOD portal on endpoint.

Error Code: DLG_FLAG_INVALID_CA

Because this site uses HTTP strict transport Security, you cannot continue to this at this time.

please help me to fix this.

Thanks

Garry

thomas · ‎03-31-2020

You should NEVER use self-signed certificates since your endpoints will never trust a self-signed certficate.

Use a CA-signed certificate like you had previously.

No idea what endpoint OS you are using.

You should look at the debug logs as was suggested and contact TAC for further debugging.

gurbinder.kabbay · ‎03-31-2020

Hi Thomas,

I am using ISE self signed system certificate, because my CA is not issuing the certificate to endpoints (Although previously used system certificate of ISE was CA signed through CSR request, but my CA is standalone and it cannot generate certificate for end points).

Moreover, its BYOD scenario in which a user brings his own device, which also dont have CA certificate and in this case ISE as CA will work.

I am using window 10 workstation and please tell me where i can check debug logs.

Thanks

Garry