Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
5
Replies

Configuring a guest portal solely for BYOD Certificate Renewal

Go to solution
adesalvatore
Level 1
Level 1

‎10-21-2019 12:20 PM

I'm running ISE 2.4 Patch 10, and I'm hitting a roadblock when my BYOD users are trying to renew their (expiring) certificates. I've built an AuthZ profile that is applied when a user's BYOD certificate is within 30 days of expiration.

 

CWA Annotation 2019-10-21 145424.png

 

I thought that all I needed to do was select Centralized Web Auth, but anytime a user hits the web redirect, they get this "Unable to obtain the user information needed" error message:

 

BYOD-error.PNG

 

I'm thinking at this point that the CWA is failing (and falling through to NSP) because I never selected a portal in the "Value" field. I found a few guides online, but they all seem to assume that I already have a Guest Portal which requires users to login. I have a Guest SSID which only requires AUP acceptance to connect, and I have a single-SSID BYOD network. Am I on the right track? Does anyone know of a tutorial for setting up a Guest portal which would only be used for BYOD cert renewal that I may have missed or is my best bet to open a TAC case and see if they can provide a config?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-25-2019 11:37 AM

You will need to use guest portal instead of BYOD portal for renewal. This allows ISE to confirm the user identity instead of assuming that the user should get a certificate because one was already assigned from previous flow. IOW, we want to confirm the user should get a certificate every time it is renewed. The document doesn't have full instructions, but goes through few options to deal with expiring certificates:

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-1375030637

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-21-2019 07:27 PM

BYOD in single SSID flow doesn’t use guest (CWA portal), BYOD using NSP (native supplicant provisioning portal) did you try to choose that and the BYOD portal you used for your BYOD portal?
0 Helpful

Go to solution
adesalvatore
Level 1
Level 1
In response to Jason Kunst

‎10-22-2019 05:17 AM

I haven't tried that, but it makes perfect sense. I'll give it a try and see what happens. Thanks very much!
0 Helpful

Go to solution
adesalvatore
Level 1
Level 1
In response to adesalvatore

‎10-22-2019 07:39 AM

When I switch from CWA to NSP, the option to "Display Certificates Renewal Message" disappears - so it seems that won't work for renewing the BYOD certificates.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to adesalvatore

‎10-23-2019 12:05 AM

Did you try assigning a portal? This is so the user can provide the username and password to associate to byod flow and certificate generation
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-25-2019 11:37 AM

You will need to use guest portal instead of BYOD portal for renewal. This allows ISE to confirm the user identity instead of assuming that the user should get a certificate because one was already assigned from previous flow. IOW, we want to confirm the user should get a certificate every time it is renewed. The document doesn't have full instructions, but goes through few options to deal with expiring certificates:

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-1375030637

 

0 Helpful
Customers Also Viewed These Support Documents