topic Re: Launch of my devices portal with MAC attributes in Network Access Control

Launch of my devices portal with MAC attributes

jpujol — Wed, 13 Jun 2018 16:54:51 GMT

Hi,

I would like to implement a workflow with an authorisation profile redirecting to a particular "my device" portal, with the ability to pre-populate the deviceId in the registration window.

Do we have an available attribute in the my device portal we could use when specifying the redirection link, in addition to the portal ID ?

Something like :

Above the endpointID value is static, but the final URL would be using the actual deviceID as the MAC attribute.

Any way to do it ?

Thanks !

jean-francois

Re: Launch of my devices portal with MAC attributes

Jason Kunst — Wed, 13 Jun 2018 17:39:29 GMT

The only way for ISE natively to glean the MAC address is through the BYOD flow and nsp, why can’t you use that? What are you trying to accomplish?

Re: Launch of my devices portal with MAC attributes

jpujol — Wed, 13 Jun 2018 20:20:16 GMT

I'm trying to register devices authenticated through WPA / LDAP in a simple way, and limit the number of devices per user.

Once authenticated, I guess it's possible to pass the deviceID within an authorisation profile, and to redirect to "my device" portal for device registration.

In case the user needs to register the first device (through the wireless network), that would be easier to present the device MAC address directly on the form. The device is then put into a group, avoiding further redirection later on.

Since there is a need to limit the number of devices per user, there is also the need to provide a solution to manage and remove stale entries ...

The BYOD registration process is too complex for a simple MAC registration.

Thx,

jean-francois

Re: Launch of my devices portal with MAC attributes

paul — Wed, 13 Jun 2018 21:43:01 GMT

Have you thought about using just a hot spot portal that maps to your desired endpoint identity group?

Assuming your users are connecting to an 802.1 SSID with credentials your authorization rules would look like this:

If MAC address is in the RegisteredDevices endpoint identity group then allow access.

Else allow access but sent to the Hotspot portal. The Hotspot portal could simply say "Click continue below to register your device and gain access to the network".

I haven't tested this out, but I don't see why it wouldn't work.

Re: Launch of my devices portal with MAC attributes

Craig Hyps — Thu, 14 Jun 2018 00:06:32 GMT

As Paul stated, if looking simply to register a MAC address, then HotSpot can accomplish. CWA flow can tie registration to a user only after initial user authentication. This will also allow tracking of user. Based on overall ask, I think BYOD flow is best. Note that BYOD flow can be used to simply associate user to a device, assign the device to an Identity Group and flag it as registered. It is not required to perform any supplicant provisioning in BYOD flow, just login via web portal first time. It can also be used to enforce the number of devices registered to a specific user.

Re: Launch of my devices portal with MAC attributes

Jason Kunst — Thu, 14 Jun 2018 01:52:42 GMT

https://supportforums.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

Re: Launch of my devices portal with MAC attributes

jpujol — Thu, 14 Jun 2018 06:42:55 GMT

Hi Paul,

I made the test and it allows the device registration, however the user doesn't have visibility on the registered devices, and there isn't a way to remove a device if the number is limited per user.

Re: Launch of my devices portal with MAC attributes

jpujol — Thu, 14 Jun 2018 07:30:50 GMT

Hi Jason,

Thanks, I'll have a try