topic ISE BYOD Dual SSID with bot SSIDs closed in Network Access Control

ISE BYOD Dual SSID with bot SSIDs closed

llomjaria — Thu, 02 Nov 2023 12:34:36 GMT

Hi,

I am interested if it is possible to configure BYOD with dual closed SSIDs.

When user connects to first SSID it should be redirected to portal where he will enter AD username and password and if authentication is successful the process should continue. After onboarding and posture checks he will be redirected to second SSID.

If it is possible, could you please provide documentation?

Re: ISE BYOD Dual SSID with bot SSIDs closed

Greg Gibbs — Thu, 02 Nov 2023 21:21:13 GMT

While this could technically probably be done, I'm not sure I understand the point and it would be a poor user experience. In order to connect to the first secure SSID, the supplicant would prompt the user for their credentials (which would be PEAP-MSCHAPv2 authC in ISE). They would then be redirected to the portal and be forced to enter their credentials again for Central Web Auth, go through the BYOD enrolment process and be notified to manually change to the second SSID (Posture is not typically part of the BYOD flow).

A smoother solution would be using the Single SSID flow described in the Cisco ISE BYOD Prescriptive Deployment Guide. If Posture is required, that flow would be better suited after the BYOD enrolment as a condition for authorization.

Re: ISE BYOD Dual SSID with bot SSIDs closed

thomas — Tue, 07 Nov 2023 00:12:54 GMT

Posture is not typical for BYOD - once you do this it is basically a managed endpoint.

If you are doing posture checks of your employee's personal devices, why not just use an MDM to enroll/provision them to a single SSID and then manage whatever security policies, applications, settings, WiFi profiles, etc. to minimize your risk concerns?