Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14268
Views
15
Helpful
7
Replies

ISE cannot push the profile to the cisco network setup assistant?

200naveen
Level 1
Level 1

‎04-02-2014 09:23 PM - edited ‎03-10-2019 09:36 PM

We have tried a few android devices with version 4.2+ but still got the error message ‘Unable to download profile.(Have you logged into the guest portal?)’ as shown at the bottom picture.

In fact, we are connecting the devices to an open SSID which performs MAC filtering, then redirect to CWA and login with AD credentials,

then redirect to Google play store and can successfully download the network setup assistant.

Could you please advise the possible reasons that would cause this error message and make ISE cannot push the profile to the cisco network setup assistant?

6 people had this problem
Labels:
Preview file
29 KB
0 Helpful
7 Replies 7

jan.nielsen
Level 7
Level 7

‎04-03-2014 11:26 AM

I beleive that the nsp utility finds the ise server, by sending an http request to the default gateway, so make sure you are redirecting that as well, or it won't be able to find the ISE, also make sure that the port ISE used to deploy that config with is allowed

 

 

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to jan.nielsen

‎07-21-2014 04:29 PM

See if you can add all the ports that the NSP client needs to touch ISE. Also if you have some time troubleshoot can you ssh into the PSN node and run the following command:

show logging application ise-psc.log tail and see if there are any error messages?

Also can you check the android logs (/sdcards/downloads/spw.log)

Thanks,

0 Helpful

Stephen Buck
Level 1
Level 1
In response to Tarik Admani

‎07-21-2014 06:57 PM

Here's a snipit from the Android spw.log.  I see that there is an error trying to verify the hostname.  Is it possible that this is caused by a non-trusted certificate?  I'm using the self-signed cert built into ISE.  I have an entry in the public DNS for guest.domain.com that resolves to the IP of my ISE server accessible from the guest subnet.  I'm allowing all traffic from the guest VLAN to the ISE vlan on the firewall and all traffic to/from the ISE server in the provisioning ACL I have applied by ISE on the WLC during native supplicant provisioning.  I know that guests can communicate with the ISE server since regular guest portal redirection works, just not the network setup assistant.  I've renamed the domain to domain.com in this snipit.

 

2014.07.20 23:44:48 INFO:verion :4.4.4 SDK Level : 19
2014.07.20 23:44:48 INFO:State :START
2014.07.20 23:44:48 INFO:Starting Discovery
2014.07.20 23:44:48 INFO:Starting ISEDiscoveryAsynchTask
2014.07.20 23:44:48 INFO:DHCP Stringipaddr 192.168.30.110 gateway 192.168.30.1 netmask 255.255.255.0 dns1 208.67.222.222 dns2 208.67.220.220 DHCP server 192.168.30.1 lease 3600 seconds
2014.07.20 23:44:48 INFO:DHCP ipaddress192.168.30.110
2014.07.20 23:44:48 INFO:DHCP gateway192.168.30.1
2014.07.20 23:44:48 INFO:Discoverng ISE http return code :200
2014.07.20 23:44:48 INFO:ISEServer =guest.domain.com
2014.07.20 23:44:48 INFO:session =0516a8c000001932f37acc53
2014.07.20 23:44:48 INFO:Discovered using gateway :18786496
2014.07.20 23:44:48 INFO:Discovered ise server = guest.domain.com
2014.07.20 23:44:48 INFO:Discovered client mac = 5C-0A-5B-FC-37-0F
2014.07.20 23:44:48 INFO:Server:Key=guest.domain.com:0516a8c000001932f37acc53
2014.07.20 23:44:48 INFO:Downloading config fromguest.domain.com
2014.07.20 23:44:48 INFO:checkServerTrusted call
2014.07.20 23:44:48 INFO:checkServerTrusted call
2014.07.20 23:44:48 ERROR:DownloadprofileAsynchTask
2014.07.20 23:44:48 ERROR:java.io.IOException: Hostname 'guest.domain.com' was not verified
2014.07.20 23:44:48 ERROR:Hostname 'guest.domain.com' was not verified
2014.07.20 23:44:48 INFO:Internal system error.

 

On the ISE side, here is the snippet of logs during the same time as when the android network setup assistant was run.

 

2014-07-20 23:41:38,586 INFO   [DefaultQuartzScheduler_Worker-6][] cisco.cpm.infrastructure.utils.NodeGroupFWUtil -:::::- Applied Firewall rules for node group.
2014-07-20 23:42:35,251 INFO   [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -:::::- In AbandonedTransactionReaper :  MaxActive : 20
0 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 2
2014-07-20 23:42:39,394 INFO   [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -::::PDPInitialization:- In AbandonedTransactionReaper
:  MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0
2014-07-20 23:42:49,765 INFO   [DataSourceListener Thread][] api.services.persistance.dao.DistributionDAO -:::::- In DAO getRepository method for HostConfig Type
: ACTIVE
2014-07-20 23:42:56,805 INFO   [PDP-Heartbeats-0][] com.cisco.cpm.clustering.MnTClient -::::pdpha:- Removing session 0516a8c00000196f2a95cc53
2014-07-20 23:42:56,806 WARN   [PDP-Heartbeats-0][] cpm.nsf.session.impl.SystemStateManager -::::pdpha:- Session 0516a8c00000196f2a95cc53 not found at complete
2014-07-20 23:43:35,441 INFO   [portal-http-844314][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
2014-07-20 23:43:35,441 INFO   [portal-http-844314][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
2014-07-20 23:43:35,750 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:43:35,768 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:43:35,768 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- initializing page definit
ion
2014-07-20 23:43:35,769 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- Created guest theme page
def
2014-07-20 23:44:18,090 WARN   [portal-http-844315][] cisco.cpm.guestportal.actions.SelfProvisioningAction -:test:0516a8c000001932f37acc53::guest:- ***BYOD Regi
stration Data***
macAddress: 5C:0A:5B:FC:37:0F
portalUser: test
authStoreName: Internal Users
authStoreGuid: 78954c30-e0f0-11e3-af67-005056bf4689
2014-07-20 23:44:18,113 INFO   [portal-http-844315][] com.cisco.epm.jms.AQMessgeHandler -:test:0516a8c000001932f37acc53::guest:- Publishing message for event [T
xnCommit / commit] and message class[class com.cisco.epm.pap.api.transaction.Transaction]
2014-07-20 23:44:18,167 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
: Unable to determine language. Defaulting to English
2014-07-20 23:44:18,168 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
finition
2014-07-20 23:44:18,169 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.CoAExecutorService -:test:0516a8c000001932f37acc53::guest:- Issue CoA reauth i
n 2000 milliseconds for sessionName 0516a8c000001932f37acc53
2014-07-20 23:44:18,171 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
: Unable to determine language. Defaulting to English
2014-07-20 23:44:18,172 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
finition
2014-07-20 23:44:18,173 INFO   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- Created guest theme
page def
2014-07-20 23:44:20,171 INFO   [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Running CoAReauthTask for
 _sessionName 0516a8c000001932f37acc53
2014-07-20 23:44:20,194 INFO   [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Issue Local CoA for sessi
on 0516a8c000001932f37acc53
2014-07-20 23:44:50,768 INFO   [ContainerBackgroundProcessor[StandardEngine[Catalina]]][] cpm.admin.infra.action.SessionCounterListener -:::::- sessionDestroyed
- deducted one session from counter - Session ID - 0FFE9C73C9209D4EE2534558CB8F723B - Session Count - 0
2014-07-20 23:46:58,502 INFO   [portal-http-844315][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
2014-07-20 23:46:58,502 INFO   [portal-http-844315][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
2014-07-20 23:46:58,693 WARN   [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:46:58,702 INFO   [portal-http-844315][] cisco.cpm.provisioning.cache.FlowStateCacheManager -::0516a8c000001932f37acc53::guest:- Deleted old flow st
ate session with device id 5C-0A-5B-FC-37-0F

 

0 Helpful

Stephen Buck
Level 1
Level 1
In response to Stephen Buck

‎07-22-2014 12:55 AM

Success!!  The clue was this:

ERROR:java.io.IOException: Hostname 'guest.domain.com' was not verified

Earlier in the log there is an http 200 message indicating a successful query to the ise server, however, this is because the discovery by the network setup assistant is done via http and not https.  When the profile is downloaded, it uses ssl and was failing due to the certificate not being trusted.  I installed a public cert and the profile downloaded and then connected me to the new SSID specified in the profile.  I'm sure if the self-signed certificate in ISE was installed as a trusted CA on the phone, that this would also work.

Hope this helps anyone else experiencing this problem.

 

Nadeem Jan
Level 1
Level 1
In response to Stephen Buck

‎06-09-2015 09:28 AM

Wow it was hell of a game! The first time i did BYOD & registered a device it worked like a charm! but the second time on the same device was ugly! i had to go to certmgr.msc & delete Ise as a trusted CA plus had to delete the personal certificate issued to me from ise ! then it worked thank God.

 

Ok the thing is I THINK!! iam not sure yet but the trusted CA for ISE that we added must be resolvable! means DNS must work perfectly,for example if the name of your ise server is ISE.local.com then that must be resolvable in DNS ..... you need a little info on certificates if u wana play with this dude...

 

Feel free to email me at ahmed.mukhtar@dwp.com.pk, we could try and resolve the issue.

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-15-2014 06:38 AM

what is ISE patch level ?

0 Helpful

Stephen Buck
Level 1
Level 1

‎07-20-2014 07:36 PM

Having the same problem.  Originally, the network setup assistant couldn't find the ISE server until we denied access to the default gateway on port 80 in the WLC ACL for provisioning.  Now it can find the server and I can see requests on the firewall going to ISE on port 8905, however, I'm getting the same error about not being able to download the profile.

I'm running ISE 1.2.1 patch 1 and using an Android 4.4.4.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents