ISE Client Provisioning and Regex

I’m working on an ISE project with MDM integration and wanted to lab up some of the use cases before working directly with the customer.  One of the steps in the process is to get the device on-boarded with ISE (before the MDM registration check).  In my authz policy, I’m using the regex Radius:Called-Station-ID MATCHES .*(:PROVISION)$ to match the request to the SSID. To do this, you also have to have the WLC set to send AP MAC Address:SSID as the Auth Call Station ID Type.  You can find that on the WLC at Security -> AAA -> RADIUS -> Authentication at the top of the window.  You can also use the Airespace wlan-id if you know for sure that all of your WLCs have the WLANs in the exact same order.  It is because of this potential discrepancy that I chose to use the regex.

However, as it turns out, there is a bug (filed today, April 17, 2014 with TAC: CSCuo34855) that keeps you from using regex on the Client Provisioning page.  Now, I don’t know if regex is a problem for every condition, but I was using the same regex in a condition in my Client Provisioning policies as I was in my authz policy mentioned above.  The client device experience was that you get stuck at the first redirect where you see the device registration page.  The error states “The system administrator has either not configured or enabled a policy for your device.  Contact your system administrator.”  The normal flow here is that you would see this page and immediately be redirected to the next part of the flow before coming back and actually registering your device.  As soon as I removed the regex condition from the Client Provisioning policies, everything worked as expected.

Another colleague in TAC mentioned that it would be nice to have tried using this regex in a compound condition, but compound conditions aren’t allowed in Client Provisioning policies.  Hopefully the fix for this bug will make it into ISE 1.3 due out later this year.  Who knows, maybe we’ll see compound conditions there too!  A shout out to Josh and Beau in RTP AAA TAC – always good to work with you guys!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s