Dear all, thanks for your videos, they are helping me to set up my ISE.

I come to you with a problem with the BYOD enrollment with client windows 7 and 8.

My windows client does not access the wlan because they do not trust my certificate (of course it is a private CA) and the ISE tryes to find the hostname in active directory, but they are guest and the machine account is not in my ad.

some logs:

Source Timestamp   2013-10-03 09:42:13.758
Received Timestamp   2013-10-03 09:42:13.759
Policy Server   bwifi
Event   5400 Authentication failed
Failure Reason   12511 Unexpectedly received TLS alert message; treating as a rejection by the client
Resolution   Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause   While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

     11006   Returned RADIUS Access-Challenge
     11001   Received RADIUS Access-Request
     11018   RADIUS is re-using an existing session
     12304   Extracted EAP-Response containing PEAP challenge-response
     12318   Successfully negotiated PEAP version 0
     12812   Extracted TLS ClientKeyExchange message
     12804   Extracted TLS Finished message
     12801   Prepared TLS ChangeCipherSpec message
     12802   Prepared TLS Finished message
     12816   TLS handshake succeeded
     12310   PEAP full handshake finished successfully
     12305   Prepared EAP-Request with another PEAP challenge
     11006   Returned RADIUS Access-Challenge
     11001   Received RADIUS Access-Request
     11018   RADIUS is re-using an existing session
     12304   Extracted EAP-Response containing PEAP challenge-response
     12511   Unexpectedly received TLS alert message; treating as a rejection by the client
     11504   Prepared EAP-Failure
     11003   Returned RADIUS Access-Reject


Does someone succeeded to do the onboarding procedure with windows clients?

Dear Pep,

You don't use machine hostname for on-boarding rather you user either domain users or OU created for authorize user for device on-boarding. It should be clear that the reasons for device registration or on-boarding is because you want a personal device (not a domain devices) to gain secure access to the network.

Also you will need to setup a CA is your setup is for testing as you need valid CA to make the process painless experience. At this stage of yours you should not try to reinvent the wheel it can be painful but go with what best practices require for a predictive result.

Regards,

From what i have seen, problem with the popup usually happen with computer that have been joined to another domain with possibly some security software installed, but not so much of a non-domain computer which is usually the case for BYOD. To my knowledge, there is not really a solution for this. Dual-SSID would be a work around and you can even keep the final SSID hidden if you want. Just make sure you use a trusted 3rd party cert for the guest portal to avoid user having to accept the cert warning.