Cisco ISE WiFi Profile Not Connecting

[weilandc]

We have had Cisco ISE Integrated for multiple years now, and just recently, possibly after the July 12th Maintenance, with Newly Purchased devices, we cannot get them to connect to the Wi-Fi. All existing devices are working normal. We haven't made any changes ourselves, and we noted that we started to see a drop/error on the API side within our ISE Server since the July 12th Maintenance to our Workspace ONE UEM Platform. We verified SSL Cert, we even changed/updated the Service Account and Password, which initially provided a Successful Connection message, but then moments later went right back to failure. Just wondering if anyone is seeing any issues with ISE and New Devices, we have a Support Case Open, just trying to figure out if it's a Workspace ONE issue or Cisco ISE issue.

[Michael-DeVaney]

Hey! Just a couple of questions to try and help out.
Are you seeing any auth errors or anything on the Cisco side?

What version of UEM are you on? 

Are you able to make any API calls to UEM yourself using something like postman? 

[weilandc]

Version: 24.2.0.10 (2402)

Build Information: BTA-ACRPACSI0-53187ba6703d81aaec6ece7005353a7e51e106be21

I was able to use Postman, we have actually been having to use it frequently last several weeks, dealing with 12064 errors for app installs on iOS devices...

Our Network Team showed us they were getting a MDM External Connection Error on the ISE Side since July 12th, and first message came after/during the Maintenance started on the CNXXX Tenant, and they haven't been able to make a successful connection since outside of us changing the service account/password, which then briefly changed to successful then went right back to failure.

So, still unsure if AW issue or ISE side issue..

Edited July 23 by weilandc

[Michael-DeVaney]

Have you tried using a basic account instead of a directory account just to see if the issue persists? 

Could there be another service causing that API account to get locked out? If it is working for a short time and then stopping, it makes me think that something is causing that account to get locked. 

[weilandc]

We are currently using a Basic Account.

I am not sure on that, nothing has changed on our side, so we are hoping the case we have currently open can somehow corelate the Maintenance on the Tenant with the issue with the Account and ISE Connection.

[weilandc]

After about a 48-hour period, it was determined the account was locked, support unlocked it, but only after this time, did it remain unlocked and for the last 24hrs it is has been working. We will continue to monitor this moving forward, but we have not been able to determine why this happened. We still suspect the Maintenance that was done on July 12 as the culprit but cannot prove it. Just be aware accounts can randomly lock on you.

[Andreano Lanusse]

@weilandc be aware of the enhancements we recently made between UEM and Cisco ISE v3.1 - this solve the Mac address randomization which will require changes on UEM config and ISE to take effect.

https://techzone.omnissa.com/resource/integrating-workspace-one-uem-and-cisco-ise-v31-and-beyond

[RicarPa]

i know you have solved it.

from experience, and based on described timeline of events, maybe there were devices that were offline when the password was changed. On attempt to re-connect caused the account lockout. (?)

changes to wi-fi profiles for wi-fi only devices is rather tricky.