02-09-2015 09:01 AM - edited 03-10-2019 10:25 PM
Hello
The Byod procedure fails when launching "Network setup assistant"
Error message is: "This profile could not be downloaded, are-you connected to Guest Portal ?"
WLC 5508 (VM) 7.5
Wlan : Flexconnect
Config : AP Flexconnect
ISE 1.3
Android 4.1.2
Here are the step:
1: Rule CWA : Redirect to Guest portal : OK
2: Rule CWA : Redirect to device portal : OK
3: Rule Android_dualSSID : Downloading "Network setup assistant" from Googleplay : OK
4: Rule Android_dualSSID : Launch "Network setup assistant 1.2.40" : NOK
Note : Profile "CWA_GooglePlay" = Redirect-ACL (NSP-ACL-Google)
The NSP-ACL-Google looks like:
(Taken from Flexconnect AP):
Extended IP access list NSP-ACL-Google
10 permit ip any host <IP ISE>
20 permit ip host <IP ISE> any
30 permit udp any range 0 65535 any eq domain
40 permit udp any eq domain any range 0 65535
50 permit ip any 74.128.0.0 0.0.255.255
60 permit ip 74.128.0.0 0.0.255.255 any
70 permit ip any 173.194.0.0 0.0.255.255
80 permit ip 173.194.0.0 0.0.255.255 any
90 permit ip any 206.111.0.0 0.0.255.255
100 permit ip 206.111.0.0 0.0.255.255 any
110 permit ip any 74.125.0.0 0.0.255.255
120 permit ip 74.125.0.0 0.0.255.255 any
130 permit ip any 208.117.224.0 0.0.0.255
140 permit ip 208.117.224.0 0.0.0.255 any
150 permit ip any 216.12.120.0 0.0.0.255
160 permit ip 216.12.120.0 0.0.0.255 any
170 deny ip any any
Could you please help
Michel Misonne
02-09-2015 10:44 AM
Have you checked under monitor/clients that you are actually assigning that ACL when in supplicant provisioning mode?
Did you copy the ACL from the TrustSec guides?
02-10-2015 02:45 AM
Hello
We use the one describe in "Cisco Unified Access (UA) and Bring Your Own
Device (BYOD) CVD"
I tried also with this one:
Extended IP access list NSP-ACL-Google
10 permit ip any host 10.35.124.195
20 permit ip host 10.35.124.195 any
30 permit ip any host 10.35.65.4
40 permit ip host 10.35.65.4 any
50 deny ip any 72.163.1.0 0.0.0.255
60 permit ip any any
10 : ISE
20 : ISE
30 : DNS
40 : DNS
50 :Enroll.cisco.com= 72.163.1.80 ( To redirect the Network setup assistant to ISE)
(Enroll.cisco.com is the adresse that the Network setup assiatnt is tryiong to connect)
Regards
Michel
02-10-2015 06:07 AM
So when you are in the "supplicant provisioning" mode, can you try and type in http://enroll.cisco.com in your browser? do you get redirected to one of your ise psn's ?
02-10-2015 10:36 AM
Hello
Yes, I tried with my PC and goes to the CWA rule with same ACL (NSP-ACL-Google) than Android ACL
When I try to launch the Network Setup Assistant, it fails also 'like the Android" with the same error : "Impossible to download the profil configuration. Connect to the network and retry."
When I try Enroll.cisco.com I get redirected.
Michel
02-13-2015 08:42 AM
Finally we solve the pb.
It a because there where 2 system certificates.
We suppress one certificate .
There is now only one self-signed-certificate which is used for EAP/ Admin and Portal.
Tests with Iphone/PC Win and Android are OK Now
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide