cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

178
Views
0
Helpful
5
Replies
Beginner

Configuring a guest portal solely for BYOD Certificate Renewal

I'm running ISE 2.4 Patch 10, and I'm hitting a roadblock when my BYOD users are trying to renew their (expiring) certificates. I've built an AuthZ profile that is applied when a user's BYOD certificate is within 30 days of expiration.

 

CWA Annotation 2019-10-21 145424.png

 

I thought that all I needed to do was select Centralized Web Auth, but anytime a user hits the web redirect, they get this "Unable to obtain the user information needed" error message:

 

BYOD-error.PNG

 

I'm thinking at this point that the CWA is failing (and falling through to NSP) because I never selected a portal in the "Value" field. I found a few guides online, but they all seem to assume that I already have a Guest Portal which requires users to login. I have a Guest SSID which only requires AUP acceptance to connect, and I have a single-SSID BYOD network. Am I on the right track? Does anyone know of a tutorial for setting up a Guest portal which would only be used for BYOD cert renewal that I may have missed or is my best bet to open a TAC case and see if they can provide a config?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Configuring a guest portal solely for BYOD Certificate Renewal

You will need to use guest portal instead of BYOD portal for renewal. This allows ISE to confirm the user identity instead of assuming that the user should get a certificate because one was already assigned from previous flow. IOW, we want to confirm the user should get a certificate every time it is renewed. The document doesn't have full instructions, but goes through few options to deal with expiring certificates:

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-1375030637

 

View solution in original post

5 REPLIES 5
Cisco Employee

Re: Configuring a guest portal solely for BYOD Certificate Renewal

BYOD in single SSID flow doesn’t use guest (CWA portal), BYOD using NSP (native supplicant provisioning portal) did you try to choose that and the BYOD portal you used for your BYOD portal?
Beginner

Re: Configuring a guest portal solely for BYOD Certificate Renewal

I haven't tried that, but it makes perfect sense. I'll give it a try and see what happens. Thanks very much!
Beginner

Re: Configuring a guest portal solely for BYOD Certificate Renewal

When I switch from CWA to NSP, the option to "Display Certificates Renewal Message" disappears - so it seems that won't work for renewing the BYOD certificates.

Cisco Employee

Re: Configuring a guest portal solely for BYOD Certificate Renewal

Did you try assigning a portal? This is so the user can provide the username and password to associate to byod flow and certificate generation
Cisco Employee

Re: Configuring a guest portal solely for BYOD Certificate Renewal

You will need to use guest portal instead of BYOD portal for renewal. This allows ISE to confirm the user identity instead of assuming that the user should get a certificate because one was already assigned from previous flow. IOW, we want to confirm the user should get a certificate every time it is renewed. The document doesn't have full instructions, but goes through few options to deal with expiring certificates:

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-1375030637

 

View solution in original post