https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3755021#M487740 It’s the other way around. Apple devices are easier to onboard as they use a built in in OTA (over the air) protocol to receive certificates and profiles. This is the most seamless way. It does however require that you have well known certificates in your ise deployment . Otherwise Apple doesn’t trust the onboarding process and there are extra steps that ruins the seamless flow<BR /><BR />Like Arne said ise doesn’t push out PSK configurations. It only does PEAP or EAPTLS<BR /><BR />If you’re wanting to simply associate a device to an AD account you could try doing psk and redirect to the NSP flow to simply register the MAC address so they can manage using the my devices portal<BR /><BR /><BR /><A href="https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290" target="_blank">https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290</A><BR /><BR />Please do consider using certificate based authentication as this is more secure and gives more control of a device is lost or stolen<BR /><BR />If you’re only provided internet access to these devices and don’t care much about security have you considered just using guest CWA with AD credentials on an open ssid? You could associate MAC address with AD portal user in this flow as well but there is no way to manage how many devices a user can have like the byod my devices portal since they are doing simple guest device registration<BR /><BR />Thanks<BR /> Thu, 29 Nov 2018 10:30:04 GMT Jason Kunst 2018-11-29T10:30:04Z https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754396#M487677 <P>Hi All</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Is it possible to have a guest portal, which allows BYOD, but pushes a PSK and network settings instead of a certificate to the mobile device. We have a mix of mobile devices therefor we are a bit off using PKI, and all I want, is to associate a mobile device to a AD user account. Perhaps there's another solution?&nbsp;</P> <P>&nbsp;</P> <P>/Michael</P> Wed, 28 Nov 2018 14:39:51 GMT https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754396#M487677 Michael Bartholomæussen 2018-11-28T14:39:51Z https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754511#M487680 Unfortunately, ISE does not support any other type of security other than WPA/WPA2 TLS and PEAP as of now. Wed, 28 Nov 2018 16:44:35 GMT https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754511#M487680 Surendra 2018-11-28T16:44:35Z https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754742#M487738 <P>Sounds like something an MDM would be good for.&nbsp; If the idea is to use the simplest on-boarding method (i.e. open SSID which redirects to an Authentication&nbsp;Portal) then I would still wonder how this would work. You need some mechanism on the client to allow it to install things like wireless profiles.&nbsp; And agent of some sort.&nbsp; Apple has the OTA (Over The Air) tech built in for BYOD enrolment.&nbsp; Android needs an app from the Play store.&nbsp; And Microsoft needs to download and run an app.&nbsp;</P> <P>Maybe these guys have a solution for you? <A href="https://www.securew2.com/" target="_blank">https://www.securew2.com/</A></P> Wed, 28 Nov 2018 22:25:25 GMT https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754742#M487738 Arne Bier 2018-11-28T22:25:25Z https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754932#M487739 <P>Sounds like there's no easy way around this issue.</P> <P>&nbsp;</P> <P>My impression is that Android BYOD works more smoothly, then Apple BYOD. What is your experience with Apple and BYOD, I know there's been some issue around this part of ISE?</P> Thu, 29 Nov 2018 07:36:41 GMT https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3754932#M487739 Michael Bartholomæussen 2018-11-29T07:36:41Z https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3755021#M487740 It’s the other way around. Apple devices are easier to onboard as they use a built in in OTA (over the air) protocol to receive certificates and profiles. This is the most seamless way. It does however require that you have well known certificates in your ise deployment . Otherwise Apple doesn’t trust the onboarding process and there are extra steps that ruins the seamless flow<BR /><BR />Like Arne said ise doesn’t push out PSK configurations. It only does PEAP or EAPTLS<BR /><BR />If you’re wanting to simply associate a device to an AD account you could try doing psk and redirect to the NSP flow to simply register the MAC address so they can manage using the my devices portal<BR /><BR /><BR /><A href="https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290" target="_blank">https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290</A><BR /><BR />Please do consider using certificate based authentication as this is more secure and gives more control of a device is lost or stolen<BR /><BR />If you’re only provided internet access to these devices and don’t care much about security have you considered just using guest CWA with AD credentials on an open ssid? You could associate MAC address with AD portal user in this flow as well but there is no way to manage how many devices a user can have like the byod my devices portal since they are doing simple guest device registration<BR /><BR />Thanks<BR /> Thu, 29 Nov 2018 10:30:04 GMT https://community.cisco.com/t5/network-access-control/byod-without-certifcate/m-p/3755021#M487740 Jason Kunst 2018-11-29T10:30:04Z