cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
3
Replies
Highlighted
Enthusiast

ISE onboarding sith internal CA server

Hi;

 

I'm testing ISE onboarding and configured authentication/authorization rules on ISE. I also have a internal Windows server which I've configured it to be my internal CA server. My WLC is 2504 (software version 8.0.121.0 and field recovery image version 7.4.1.30). 

I started to test with an Android mobile device. After successfully authenticating with Active Directory, I redirected to BYOD portal where I was pushed to download Cisco Network Assistant from Google Play. But the issue is I got this message on my Android device. How can I resolve this certificate issue on WLC?

 

Screenshot_20180607-164220.png

 

Thank you. 

3 REPLIES 3
Cisco Employee

Re: ISE onboarding sith internal CA server

During which stage of the on-boarding process do you get that error? The error message indicates that there is a proxy and/or another device on your network that is deencrypting/inspecting SSL/TLS traffic. Can you expand on the technical details and provide a screenshot of the certificate that is being used to encrypt the connection?

 

Thank you for rating helpful posts!

Enthusiast

Re: ISE onboarding sith internal CA server

Hi;

I wanted to try to do the same, but before that, I got stuck at the beginning because I got these messages. Where I should change this option? On WLC or on ISE? I tried but didn't managed to affect that. 

 

 

06-08-2018 14:21:37 Local0.Warning 10.1.206.205 CWLC: *Dot1x_NW_MsgTask_7: Jun 08 11:21:31.456: #DOT1X-4-AAA_MAX_RETRY: 1x_bauth_sm.c:404 Max AAA authentication attempts exceeded for client 04:4f:4c:3b:8a:67



06-08-2018 14:21:37 Local0.Info 10.1.206.205 CWLC: *Dot1x_NW_MsgTask_7: Jun 08 11:21:31.456: #APF-6-MOBILE_EXCLUDED: apf_ms.c:6232 Excluded the mobile 04:4f:4c:3b:8a:67.

10.1.206.205 belongs to Cisco WLC. The MAC address in log message belongs to my Android device. 

All I found was Wireless Client Exclusion Policy and I disabled it. 

wlc.png

 

But after a while, something resets the failure and I get this message on ISE RADIUS live log page:

 

wlc2.png

 

I will send the details if I can get rid of this error.

Enthusiast

Re: ISE onboarding sith internal CA server

Guys! any idea?! 

I'm getting this message:

ise1.png