Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2402
Views
5
Helpful
5
Replies

ISE BYOD Android : Impossible to launch "Network setup assistant"

mmisonne
Level 2
Level 2

‎02-09-2015 09:01 AM - edited ‎03-10-2019 10:25 PM

Hello

The Byod procedure fails when launching "Network setup assistant"
Error message  is: "This profile could not be downloaded, are-you connected to Guest Portal ?"

 

WLC 5508  (VM) 7.5
Wlan : Flexconnect
Config : AP Flexconnect
ISE 1.3
Android 4.1.2


Here are the step:

1: Rule CWA : Redirect to Guest portal : OK
2: Rule CWA : Redirect to device portal : OK
3: Rule Android_dualSSID : Downloading "Network setup assistant" from Googleplay : OK
4: Rule Android_dualSSID :  Launch "Network setup assistant 1.2.40"  : NOK
 

Note : Profile "CWA_GooglePlay" = Redirect-ACL (NSP-ACL-Google)

The NSP-ACL-Google looks like:
(Taken from Flexconnect AP):
 

Extended IP access list NSP-ACL-Google
    10 permit ip any host <IP ISE>
    20 permit ip host <IP ISE> any
    30 permit udp any range 0 65535 any eq domain
    40 permit udp any eq domain any range 0 65535
    50 permit ip any 74.128.0.0 0.0.255.255
    60 permit ip 74.128.0.0 0.0.255.255 any
    70 permit ip any 173.194.0.0 0.0.255.255
    80 permit ip 173.194.0.0 0.0.255.255 any
    90 permit ip any 206.111.0.0 0.0.255.255
    100 permit ip 206.111.0.0 0.0.255.255 any
    110 permit ip any 74.125.0.0 0.0.255.255
    120 permit ip 74.125.0.0 0.0.255.255 any
    130 permit ip any 208.117.224.0 0.0.0.255
    140 permit ip 208.117.224.0 0.0.0.255 any
    150 permit ip any 216.12.120.0 0.0.0.255
    160 permit ip 216.12.120.0 0.0.0.255 any
    170 deny ip any any

 

Could you please help


Michel Misonne

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎02-09-2015 10:44 AM

Have you checked under monitor/clients that you are actually assigning that ACL when in supplicant provisioning mode?

 

Did you copy the ACL from the TrustSec guides?

0 Helpful

mmisonne
Level 2
Level 2
In response to jan.nielsen

‎02-10-2015 02:45 AM

Hello

We use the one describe in "Cisco Unified Access (UA) and Bring Your Own
Device (BYOD) CVD"

 

I tried also with this one:

Extended IP access list NSP-ACL-Google

    10 permit ip any host 10.35.124.195

    20 permit ip host 10.35.124.195 any

    30 permit ip any host 10.35.65.4

    40 permit ip host 10.35.65.4 any

    50 deny ip any 72.163.1.0 0.0.0.255

    60 permit ip any any

 

10 : ISE

20 : ISE

30 : DNS

40 : DNS

50  :Enroll.cisco.com= 72.163.1.80  ( To redirect the Network setup assistant to ISE)

(Enroll.cisco.com is the adresse that the Network setup assiatnt is tryiong to connect)

 

Regards

 

 

Michel

 

0 Helpful

jan.nielsen
Level 7
Level 7
In response to mmisonne

‎02-10-2015 06:07 AM

So when you are in the "supplicant provisioning" mode, can you try and type in http://enroll.cisco.com in your browser? do you get redirected to one of your ise psn's ?

0 Helpful

mmisonne
Level 2
Level 2
In response to jan.nielsen

‎02-10-2015 10:36 AM

Hello

 

Yes, I tried with my PC and goes to the  CWA rule with same ACL (NSP-ACL-Google) than Android ACL

When I try to launch the Network Setup Assistant, it fails also 'like the Android" with the same error : "Impossible to download the profil configuration. Connect to the network and retry."

When I try Enroll.cisco.com I get redirected.

 

Michel

0 Helpful

mmisonne
Level 2
Level 2
In response to mmisonne

‎02-13-2015 08:42 AM

Finally we solve the pb.

It a because there where 2 system certificates.

We suppress one certificate .

There is now only one self-signed-certificate which is used for EAP/ Admin and Portal.

 

Tests with Iphone/PC Win and Android are OK Now

Customers Also Viewed These Support Documents