BYOD ACL for Converged Access

andrew.chappelle · ‎05-06-2016

Hello,

Getting the "Profile Installation Failed, The request timed out." error when provisioning a client on a new wireless BYOD service.

My best guess is that there's an ACL issue, and I am having a hard time finding a doc where a Converged Access client provisioning ACL is illustrated giving any device type the ability to provision.

Here's my current ACL, on the MA switch:

ip access-list extended CLIENT-PROVISION
deny   icmp any any
deny   udp any any eq bootps
deny   udp any any eq bootpc
deny   udp any any eq domain
deny   ip any host <ISE PSN #1>
deny   ip any host <ISE PSN #2>
permit tcp any any eq www
permit tcp any any eq 443

Suggestions and recommendations are welcomed and appreciated.

Thanks,

nspasov · ‎05-11-2016

The ACL looks correct. A few other questions:

1. What version of code are you running for:

- ISE

- Switch

- iOS device

2. Have you tried onboarding a different type device (Android, Windows, OSX)

Thank you for rating helpful posts!

andrew.chappelle · ‎05-11-2016

Hi Neno,

Thanks for the response.

ISE is version 2.0 patch 3

The switch is a 3850 MA, the WLCs (foreign and anchor) are 5760s, all running 3.7.3E code.

The iOS device is an iPhone 6 s/w version 9.3.1

With an Android device, it appears to lock up at the same point - after the Root certificate is installed, and the profile push is attempted.

Because the client is connected to the Anchor WLC in the DMZ, I've also asked the customer to confirm the proper ports are punched through the firewall. I believe the additional one for SCEP is TCP port 8905. I have confirmed connectivity from ISE to the external SCEP/NDES is good.

thanks,

Andrew

andrew.chappelle · ‎05-12-2016

**UPDATE***

Opening port 8905 allowed the profile push to begin, but now the client gets the error below. The portal the BYOD clients use is used for sponsored, external guest access as well and just branches out from there. If the credentials entered are employee's, they go thru the BYOD flow.

nspasov · ‎05-12-2016

Hmm, couple of questions:

1. What certificate do you have tied to the client provisioning portal

2. Who signed the certificate and what certificate template was used

3. What are the certificate attributes

4. Pls confirm that they have all of the required ports opened:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0-1/install_guide/b_ise_InstallationGuide201/b_ise_InstallationGuide201_appendix_0110.html

5. What happens when you try Android again

Thank you for rating helpful posts!

andrew.chappelle · ‎05-12-2016

Hi Neno,

1. This is the external Guest certificate for the multi-role portal that serves sponsored guests and BYOD clients

2. Signed by external 3rd party - Digicert. Not sure the template they used

3.

Subject	CN=guestaccess.aer.ca,O=Alberta Energy Regulator (AER),L=Calgary,ST=Alberta,C=CA
Subject Alternative Name (SAN)	DNS Name: guestaccess.aer.ca

4. Yes, confirmed, they just opened port 8905 which allowed me to start the profile download

5. Oddly, when I try the Android device, I can access the Google Play Store and download the Network Setup Assistant app. when I run it, I get the error " Unable to detect Server. Please ensure your network access device is configured to redirect enroll.cisco.com to ISE." which I'm not sure I understand.

nspasov · ‎05-16-2016

I have not seen this error before. So if it was me i would:

1. Temporary provide full access between the anchor WCL and the rest of the environment and then test again. Just to make sure that an ACL entry is not causing the problem

2. If that does not fix it then I would proceed with opening a TAC case and have them investigate.

3. Also, just to make sure you:

- Have the anchor configured as a NAD in ISE

- Configured the redirection ACL on the anchor controller

Thank you for rating helpful posts!