Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
2
Helpful
6
Replies

ISE Guest Portals and Game Consoles and Consumer Devices?

Go to solution
Jason Salmans
Spotlight
Spotlight

‎06-28-2018 11:39 AM

Greetings all,

I'm investigating ISE for our on-campus NAC which would include our residence halls wired/wireless.  With our current NAC solution, we're doing MAB with wired and wireless along with a captive portal.  The existing NAC has policy to exclude game consoles from the captive portal and basically just gives them a pass.

After installing the ISE trial, my first goal is to basically re-create what we already have with the other solution while adding ISE improvements where possible.  Today, I created a basic WLAN for our residence network and started testing some devices against the policy.  My Windows device worked fine, my PS4 had an issue with the AUP accept on the portal, and my Nintendo Switch (which is designed to work to a certain extent with captive portals) won't load it at all and just gives a 404.

I'm curious what people's experiences are with using captive portal with consumer devices?  Would the best practices method instead give them access to a My Devices page that they should manually add these types of devices?

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-28-2018 12:33 PM

You can recreate the same policy with ISE as you were with current NAC system. Assuming you have Plus license you can profile the gaming device and (Optionally create a logical group for any gaming device you would like to exempt) and permit them without having to go through the guest flow.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-28-2018 12:33 PM

You can recreate the same policy with ISE as you were with current NAC system. Assuming you have Plus license you can profile the gaming device and (Optionally create a logical group for any gaming device you would like to exempt) and permit them without having to go through the guest flow.

0 Helpful

Go to solution
Jason Salmans
Spotlight
Spotlight
In response to howon

‎06-28-2018 01:04 PM

I'll check out what licensing we were qouted if we proceed with this.  I was actually kind of hoping to get some sort of user ID for these consumer devices which would mean either a captive portal or a device registration page.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Jason Salmans

‎06-28-2018 01:42 PM

You are correct, only way to tie the user with the endpoint is either through my devices portal or forcing user to go through registration flow.

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎06-28-2018 06:45 PM

Higher Ed has been the largest segment for adoption of the BYOD Flow with My Devices Portal for just the situation you have described.  I truly believe that is the answer to your dilemma.  It will tie the username to the device and show up as such in the RADIUS Live Log\ as well as the Reports.

0 Helpful

Go to solution
Jason Salmans
Spotlight
Spotlight
In response to Charlie Moreton

‎06-29-2018 06:09 AM

Can the BYOD Flow be utilized without Apex licensing?  My understanding is the BYOD setup was more for doing onboarding with cert provisioning and potentially posture enforcement on a WPA2-Enterprise setup.

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to Jason Salmans

‎06-29-2018 06:11 AM

BYOD with certificate provisioning is a Plus licenses feature. Not Apex.

Regards,

-Tim

Customers Also Viewed These Support Documents