Solved: Re: Launch of my devices portal with MAC attributes

jpujol · ‎06-13-2018

Hi,

I would like to implement a workflow with an authorisation profile redirecting to a particular "my device" portal, with the ability to pre-populate the deviceId in the registration window.

Do we have an available attribute in the my device portal we could use when specifying the redirection link, in addition to the portal ID ?

Something like :

Above the endpointID value is static, but the final URL would be using the actual deviceID as the MAC attribute.

Any way to do it ?

Thanks !

jean-francois

Craig Hyps · ‎06-13-2018

As Paul stated, if looking simply to register a MAC address, then HotSpot can accomplish. CWA flow can tie registration to a user only after initial user authentication. This will also allow tracking of user. Based on overall ask, I think BYOD flow is best. Note that BYOD flow can be used to simply associate user to a device, assign the device to an Identity Group and flag it as registered. It is not required to perform any supplicant provisioning in BYOD flow, just login via web portal first time. It can also be used to enforce the number of devices registered to a specific user.

View solution in original post

Jason Kunst · ‎06-13-2018

The only way for ISE natively to glean the MAC address is through the BYOD flow and nsp, why can’t you use that? What are you trying to accomplish?

jpujol · ‎06-13-2018

I'm trying to register devices authenticated through WPA / LDAP in a simple way, and limit the number of devices per user.

Once authenticated, I guess it's possible to pass the deviceID within an authorisation profile, and to redirect to "my device" portal for device registration.

In case the user needs to register the first device (through the wireless network), that would be easier to present the device MAC address directly on the form. The device is then put into a group, avoiding further redirection later on.

Since there is a need to limit the number of devices per user, there is also the need to provide a solution to manage and remove stale entries ...

The BYOD registration process is too complex for a simple MAC registration.

Thx,

jean-francois

paul · ‎06-13-2018

Have you thought about using just a hot spot portal that maps to your desired endpoint identity group?

Assuming your users are connecting to an 802.1 SSID with credentials your authorization rules would look like this:

If MAC address is in the RegisteredDevices endpoint identity group then allow access.

Else allow access but sent to the Hotspot portal. The Hotspot portal could simply say "Click continue below to register your device and gain access to the network".

I haven't tested this out, but I don't see why it wouldn't work.

Craig Hyps · ‎06-13-2018

As Paul stated, if looking simply to register a MAC address, then HotSpot can accomplish. CWA flow can tie registration to a user only after initial user authentication. This will also allow tracking of user. Based on overall ask, I think BYOD flow is best. Note that BYOD flow can be used to simply associate user to a device, assign the device to an Identity Group and flag it as registered. It is not required to perform any supplicant provisioning in BYOD flow, just login via web portal first time. It can also be used to enforce the number of devices registered to a specific user.

Jason Kunst · ‎06-13-2018

https://supportforums.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

jpujol · ‎06-14-2018

Hi Jason,

Thanks, I'll have a try

jpujol · ‎06-13-2018

Hi Paul,

I made the test and it allows the device registration, however the user doesn't have visibility on the registered devices, and there isn't a way to remove a device if the number is limited per user.