Good day,

I have followed your steps from SEC0190 but I am unable to get things working over wireless only via wired. The Network Setup Assistant gives the error attached. Please find attached as well spwProfileLog.
The device is able to get registered, it prompts me to install the certificate, which I am able to do so, however at a certain point Network Setup Assistant gives that error and the ISE-Internal SSID with its parameters do not get installed on the machine.
Furthermore, if I add the SSID ISE-Internal manually on the windows machine, it works fine as well, but thats not the goal. ISE-Internal should be provisioned automatically on the machine.

Please help.

Thanks

I have tried with android but no success. When it gets to the Network Assistant Setup installation part via google play (after device registration), it does not open the webpage even though I have allowed that URL on the access list on the vWLC.

By the way I am a Virtual Wireless Controler and the access point is in flexconnect mode. When I setup guest authentication (followed by the parameter GuestFlow) it works fine using normal normal access lists, but when I try to implement BYOD it does not.

With a vWLC, do I have to use FlexConnect ACLs only?

When you implement BYOD on your videos, on the Authorization Policy Results for CWA, you do not use an Airespace ACL... Does this Airespace ACL work like the dACL for switches? As in for the CWA you specify the redirect ACL then you choose the Airespace ACL to limit the user from accessing specific resources?

Any further ideas please?

Thank you.

Thank you for the explanation, understood.

Regarding your first question, I am assuming I am using central switching as I have not enabled local switching on the WLAN (correct me if I am wrong). Please have a look at the attached screenshot.

I have just gone through all your Certificate Authority videos and then BYOD Dual SSID, but still cannot get it to work. The Network Setup Assistant still fails to install the Internal SSID on my laptop.

As for an android device, I have manually installed the Cisco Network Setup Assistant software beforehand on my device. When I connect to the ISE-BYOD SSID it redirects me to ISE, which then I use the AD credentials and register the device. The last page is to get the Network Setup Assistant. Afterwards I open the software installed beforehand and click START. Finally I get this error "Unable to download profile. (Have you logged into the guest portal?)"

As for an iPhone, I register the device then it asks me to install the certificates. I am able to install the root certificate but I am not able to install the access.ise.local certificate (Wildcard certificate that you created on your videos). It says that "The server certificate for You are not allowed to view links. Register or Login........  is invalid."

Any ideas please?

Thanks

Are you using wildcard cert on ISE? It is a little concerning that iPhone does not work neither. It is usually device with the highest success rate.
Do you have full admin right on Windows PC?
Are you using internal CA or external SCEP CA?

Can you post the ISE cert? May be try to re-install the cert just to make sure it is valid. Hate to say this but worst case you might need to give a fresh install a try. Wouldn't be the first time for me though.

Yeah.. I don't think the URL options under the ACL works the way you may think it should though. All I remembered trying in the past but didn't work. You may still stuck with getting the user to pre-download the app. The only other way I can think off is somehow having a DNS request to google play return an IP of a web proxy and just allow proxy IP on the WLC ACL but that may be too complicated though.

Glad to hear that eveything else works...