Conscia Device Portal FAQ

Here is our collection of frequently asked questions to supplement the documentation available through the application (link to demo site).

Using the Device Portal

Managing Devices

How do I import devices from a CSV file?

From the device page, click the “Import from CSV” link in the to right-hand corner.

Upload a csv file containing the mandatory field and the optional field you need. Here is a sample file that has the correct format

mac_address,device_group,name,description,device_type,psk,pw_type,asset_id,expires
12:13:14:15:17:18,CDP_Test3,Samle wired,From CSV,Kamera,dummypsk123,mab,demo 1,1900-01-01T00:00:00
12:13:14:15:17:19,CDP_Test3,Samle wireless,From CSV,Kamera,myverySecretPSK,device,demo 2,1900-01-01T00:00:00

Only included the expires field if needed.

After upload a preview of the imported devices are showed. Click upload to add the devices. The result of the import is presented in the Notification view

Why can’t a user edit or create a device this is already in ISE?

The default setting in the device portal is that a user can’t import a MAC address that is already in ISE. You could potential override an intended setting in ISE.

If you know that no policy is assigned by custom settings in ISE other than the one managed via the device portal you can enable the ise wide import setting in the .env file.

https://demoportal.conscia.tech/docs/configuration/index.html

How do I change an interface?

The interface in the device portal is just a name or VLAN ID to be used in the policy in ISE. The

Setting up the device portal

Permissions

How is permission for a device group assigned to a user?

Permission to put assign a device in a device group is based on the AAA Group the users is assigned.

The CDP admin can edit the device group and assign one or more AAA Group that are allowed to assign devices in it.

The AAA Group is assigned by AAA Authentication backend often based on the users assigned group in Windows AD.

How are AAA Group assigned by the AAA Authentication backend?

The user login to the portal is authenticated via radius on Cisco ISE. There returning “Class” string is used as the AAA Group in the device portal. By building a policy in Cisco ISE a match between Windows AD group AAA Group in the device policy can be made to that your device groups in the device portal matches you assigned groups in Windows AD.

Wireless

What is needed on my WLC for iPSK to work with the device portal?

Here are some important things to check

  • WLAN > Security > Layer 2
    • MAC Filtering enabled
    • AAA Authorization List configured
    • WPA2 Encryption AES
    • Auth Key Mgmt PSK
    • Dymmy PrÄ™-Shared Key configured
  • Policy > Advanced
    • Allow AAA Overrider enabled
    • NAC State enabled
    • Accounting List selected
  • AAA Server
    • Support for CoA enabled
    • CoA Server Key same as shared secret

Troubleshoot

Something is not working. Is there a check-list for know things to check?

Sure

  • Use hostname (not IP address) for settings in .env file
  • Make sure device portal can lookup the ISE FQDN.
  • Make sure switch and wlc is configured for accounting
  • Make sure CoA is enabled for WLAN and AAA config
  • Make sure VLAN override is enabled on switch and wlc

Error – 403: PermissionDenied. insufficient permissions to query device due to group restrictions

This strange message means that the device portal user is trying to add a MAC address that is already in ISE. Either via a device group that the user do not have access to or in ISE for another reason. Ie. if it it is already connected via dot1x.

Last Seen and IP address information is missing in the portal

The device portal is getting update about devices from Cisco ISE via PxGrid. Check the endpoint in ISE has the information. If it is not in ISE something is wrong missing in the setup of Cisco ISE and the switches or wireless lan controller. Cisco ISE is getting update via radius accounting so check that accounting is configured and working.

If the endpoint is updated in Cisco ISE the problem is between Cisco ISE and the device portal. Check if the Pxgrid indicator in the Home Screen of the device portal has a green checkmark. Troubleshoot if pxgrid messages are received on the server using tcpdump. Ensure that the device portal can do a lookup of the ISE FQDN hostname.

Error – 500: Ensure that the API user in Cisco ISE is enabled and valid.