Author Topic: ISE 1.2 Error when trying to install windows network assistant for self provisio (Read 49605 times)

dong · « **on:** October 02, 2014, 12:36:56 AM »

Hi all !
I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID). I've followed your videos, and I've setup the policies and SCEP and stuff.

Here's a walkthrough of what's happening:
1. I connect to open SSID, enter username/password and register MAC
2. I download WinSPwizard, get trust root CA but WinSPwizard error

This is spwprofilelog
[Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61 8a 2d 81 88 da 8a a2 ca

da d3 ab e8

] as rootCA
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]

[Wed Oct 01 11:27:29 2014] Failed to generate scep request. Error code:
[Wed Oct 01 11:27:29 2014] ApplyCert - End...
[Wed Oct 01 11:27:29 2014] Failed to configure the device.
[Wed Oct 01 11:27:29 2014] ApplyProfile - End...
[Wed Oct 01 11:27:32 2014] Cleaning up profile xml: success
This is SCEP RA profiles

Other Cert

ACL On WLC

and policy

Please help me fix error.
Thanks.

MC · « **Reply #1 on:** October 02, 2014, 06:42:49 PM »

Would you be able to validate SCEP setup using router or ASA and make sure you can obtain a certificate?

dong · « **Reply #2 on:** October 06, 2014, 02:52:16 AM »

Hi MC
Yes, I test on my router. It get cert normal
R1#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 500D03F681AB769A4B577B57BF20BD4F
Certificate Usage: Signature
Issuer:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Subject:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Validity Date:
start date: 16:40:54 UTC Sep 1 2014
end date: 16:50:53 UTC Sep 1 2019
Associated Trustpoints: pvgas-DC-CA

what wrong ? please help me fix

MC · « **Reply #3 on:** October 06, 2014, 11:10:33 PM »

You are not allowed to view links. Register or Login

Hi MC
Yes, I test on my router. It get cert normal
R1#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 500D03F681AB769A4B577B57BF20BD4F
Certificate Usage: Signature
Issuer:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Subject:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Validity Date:
start date: 16:40:54 UTC Sep 1 2014
end date: 16:50:53 UTC Sep 1 2019
Associated Trustpoints: pvgas-DC-CA

what wrong ? please help me fix

This is the CA self-signed cert, not the router cert. Can the router get a cert when you do 'crypto ca enroll' command?

dong · « **Reply #4 on:** October 07, 2014, 09:58:53 PM »

Hi MC !
Yes, this is CA cert. When I configure for router cert it error.
R1(config)#
Oct 8 11:42:14.847: CRYPTO_PKI: Certificate Request Fingerprint MD5: 66D15A2B 8F738117 E527AB56 8F9F0E0D
Oct 8 11:42:14.847: CRYPTO_PKI: Certificate Request Fingerprint SHA1: E44DE9E2 D5BF0870 48C2F23C 6080B051 3965DC1E
R1(config)#
Oct 8 11:42:15.435: %PKI-6-CERTFAIL: Certificate enrollment failed.
R1(config)#
Time on CA the same with router
R1#show crypto pki cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 500D03F681AB769A4B577B57BF20BD4F
Certificate Usage: Signature
Issuer:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Subject:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Validity Date:
start date: 16:40:54 UTC Sep 1 2014
end date: 16:50:53 UTC Sep 1 2019
Associated Trustpoints: pvgas-DC-CA

R1#show clock
11:42:55.067 UTC Wed Oct 8 2014

On My CA, I configured Certificate Templates, change Registry

What wrong in my configured, please help me resolve problem.
Thank so much.

MC · « **Reply #5 on:** October 08, 2014, 06:38:03 PM »

So it looks like you do not have your SCEP server properly configure. Please review the videos below.

You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login

dong · « **Reply #6 on:** October 09, 2014, 12:44:41 AM »

Hi MC !
I configure CA, NDES step by step follow your intruction, but when router pull cert from CA server.
Router received message %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority and in Failed Request on CA server received message
The Network Device Enrollment Service cannot submit the certificate request (The requested certificate template is not supported by this CA.). 0x80004005.
I duplicate IPSEC(offline request) templates and choose properties the same your configure. On my router
crypto key generate rsa modulus 1024 general-keys

crypto pki trustpoint PVGAS-ROOT-CA
enrollment url You are not allowed to view links. Register or Login
fqdn R2.pvgas.local
subject-name cn=R2.pvgas.local
revocation-check none
exit

crypto pki authenticate PVGAS-ROOT-CA
Please help me.
Thanks.

MC · « **Reply #7 on:** October 09, 2014, 11:10:15 PM »

Are you using Windows 2008 Enterprise and Enterprise CA and not standalone? Make sure the NDES user is allowed to enroll those template. Worst case, you can try to start from scratch and follow the instruction video.

dong · « **Reply #8 on:** October 13, 2014, 12:21:44 AM »

Hi MC !
I update window server and re-add role and configure CA server. My router can get certificates.
But when laptop connect to SSID open download Network Setup Assitant and start install it is not work.
spw log file is
[Fri Oct 10 15:57:42 2014] Logging started
[Fri Oct 10 15:57:42 2014] System locale is [en]
[Fri Oct 10 15:57:42 2014] Loading messages for [en]...
[Fri Oct 10 15:57:42 2014] Initializing profile
[Fri Oct 10 15:57:42 2014] Parsing profile xml - C:\Users\ADMINI~1\AppData\Local\Temp\spwProfile.xml
[Fri Oct 10 15:57:44 2014] Identifying wired and wireless network interfaces, total active interfaces: 1
[Fri Oct 10 15:57:44 2014] Network interface - mac:00-26-C6-65-5E-3C, name: Wireless Network Connection, type: wireless
[Fri Oct 10 15:57:44 2014] Wireless interface [Wireless Network Connection] will be configured...
[Fri Oct 10 15:57:45 2014] Host - [ name:pc1, mac addresses:00-26-C6-65-5E-3C;00-27-13-66-7C-33]
[Fri Oct 10 15:57:45 2014] SPW is running as High integrity Process - 12288
[Fri Oct 10 15:57:46 2014] ApplyProfile - Start...
[Fri Oct 10 15:57:46 2014] User Id: it1, sessionid: e90610ac000001d286023854, Mac: 00-26-C6-65-5E-3C, profile: WirelessSP
[Fri Oct 10 15:57:46 2014] Configuring wireless profile...
[Fri Oct 10 15:57:46 2014] ApplyCert - Start...
[Fri Oct 10 15:57:48 2014] Installed [PVGas-CA-Lab, hash: 66 64 5b fb 15 82 ce 8d c8 5d 9a 44 1b c4 1a 91

dc c4 b7 94

] as rootCA
[Fri Oct 10 15:58:10 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:10 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Fri Oct 10 15:58:10 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Fri Oct 10 15:58:14 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:14 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Fri Oct 10 15:58:14 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Fri Oct 10 15:58:18 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:18 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Fri Oct 10 15:58:18 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Fri Oct 10 15:58:23 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:23 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN

[Fri Oct 10 15:58:23 2014] Failed to get certificate from server - Error: [2]

[Fri Oct 10 15:58:23 2014] Failed to generate scep request. Error code:
[Fri Oct 10 15:58:23 2014] ApplyCert - End...
[Fri Oct 10 15:58:23 2014] Failed to configure the device.
[Fri Oct 10 15:58:23 2014] ApplyProfile - End...
[Fri Oct 10 15:58:32 2014] Cleaning up profile xml: success

Please for me a idea fix error. Thanks MC

MC · « **Reply #9 on:** October 15, 2014, 04:48:39 PM »

It looks like the SCEP server at least is working since your router can now get a cert. From the log you provided, it seems to be complaining about the certificate CN so I would check the certificate template. Which cert template do you use for SCEP? Try duplicate the 'User' template and use that if not already.

dong · « **Reply #10 on:** October 23, 2014, 07:59:20 PM »

Hi MC !
I try duplicate the "User" template and public it. But not fix problem.
This is step my configurate template.

Please for me an idea, for resolve issue.
Thanks MC

MC · « **Reply #11 on:** November 01, 2014, 10:28:20 AM »

When it fails, what does the error message on the CA says?

dong · « **Reply #12 on:** November 19, 2014, 07:25:38 PM »

Hi MC !
I can resolve this issue. The problem occur because missing hotfix on CA server. Need 2 hotfix installed is KB2483562,KB2633200, this is important.
Thanks

MC · « **Reply #13 on:** November 20, 2014, 10:14:13 PM »

That would do it

. I guess the moral of this is to have the server updated before configuration. Thank you for sharing the solution. +1

Search

User Info

Author Topic: ISE 1.2 Error when trying to install windows network assistant for self provisio (Read 49605 times)

dong

ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

dong

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

dong

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

dong

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

dong

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

dong

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

dong

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

MC

Re: ISE 1.2 Error when trying to install windows network assistant for self provisio

Related Topics