Lab Minutes Forum

Technical Discussion => Security => Topic started by: rezafathi on June 14, 2015, 11:34:30 AM

Title: Cisco ISE 1.4 BYOD Wired onboarding problem
Post by: rezafathi on June 14, 2015, 11:34:30 AM
Hello,
I watched the respective video about wired BYOD onboarding from your website and did all the steps right. Non-domain computer redirects to ISE guest portal and I enter the domain username and password then it downloads cisco network assistant and does setuo the network successfully but it does not go to the next authorization policy which is permit internet access and loops back to the login page again and again. please help me because it's driving me crazy.
Title: Re: Cisco ISE 1.4 BYOD Wired onboarding problem
Post by: MC on June 16, 2015, 09:19:30 PM
Here are the questions
1. Does Network Setup Assistant run to completion? If so,
2. Did the computer get a user certificate installed? If so,
3. Did you see EAP-TLS auth attempt on the ISE log. If so, can you share the screenshot of the auth detail page and your authorization policies.
Title: Re: Cisco ISE 1.4 BYOD Wired onboarding problem
Post by: rezafathi on June 17, 2015, 02:32:00 AM
Hello,
Thank you for your response.

1- yes it runs successfully
2- yes computer gets the certificate for the user
3- As you can see in the attached screen shot, the authentication is PAP/ASCI

I also attached my switch configuration (port gig 1/0/20 is connected to the client) and authorization policy. The DACLs are same as yours in videos. Clients login and the network setup assistant completes but the authorization policy won't change and there is no internet access for user. Please help me because I have worked on it 15 hours a day but I wasn't succesfull/ 
Title: Re: Cisco ISE 1.4 BYOD Wired onboarding problem
Post by: MC on June 19, 2015, 10:01:35 PM
The screenshot looks like a successful login to guest portal before the onboarding begin and not after. Make sure that you have configured correct Client Provisioning profile for wired with 802.1X with corresponding Client Provisioning Policy. Confirm that your client have received correct wired profile by checking the LAN adapter settings. You should see 802.1X box checked with Smartcard/certificate for authentication.
SimplePortal 2.3.7 © 2008-2024, SimplePortal