cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2365
Views
0
Helpful
14
Replies
blandrum
Cisco Employee

Auto-registration & My Devices management of user devices through BYOD mechanisms

I'm trying to work through a workflow where a user logs into ISE via GuestPortal on a capable machine (something with a web browser), logs in with their AD credentials, and self-registers their device (just MAB, no dot1x).  This part of the workflow is easy and complete.  The second part of the workflow would have them connecting directly to a link from that same workstation and registering multiple devices that don't have a web browser (printers, game consoles, lab devices, etc.) and I can't seem to find any documentation on how to expose the "MyDevices" portal.

If someone could simply point me to some documentation on directly exposing MyDevices, I would greatly appreciate it.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jason Kunst
Cisco Employee

Guest flow device registration is not the same as BYOD/ my devices


Guest flow use the guestendpoints group under the guest type

BYOD is registereddevice group for associated flow

The recommendation for employees would be to go through the BYOD flow without guest registration and to disable native supplicant and certificate provisioning, use the my devices portal for those dumb devices

https://supportforums.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

1. Connect to GUEST SSID

2. login as non-guest

3. non-guest forced through BYOD flow

4. endpoint registered into registereddevices

The my devices portal is accessed under the portal test url under the portal page settings. The recommendation would be to use the easy URL FQDN option

For more information on the easy URL FQDN see:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Guest Access User Interface Reference [Cisco Identit…

View solution in original post

Yes there are issues with Apple captive network assistant and Apple has open bug yet to be resolved in iOS 12 from what the experts have told me

There are some threads already about that

Current recommendation is to enable captive portal bypass on the wlan for your open guest SSID used for dual SSID

Or chose different flows
For more information
https://community.cisco.com/t5/identity-services-engine-ise/bd-p/5301j-disc-ise
Go to deploy > byod for more information and read the deployment guide

View solution in original post

14 REPLIES 14
Jason Kunst
Cisco Employee

Guest flow device registration is not the same as BYOD/ my devices


Guest flow use the guestendpoints group under the guest type

BYOD is registereddevice group for associated flow

The recommendation for employees would be to go through the BYOD flow without guest registration and to disable native supplicant and certificate provisioning, use the my devices portal for those dumb devices

https://supportforums.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

1. Connect to GUEST SSID

2. login as non-guest

3. non-guest forced through BYOD flow

4. endpoint registered into registereddevices

The my devices portal is accessed under the portal test url under the portal page settings. The recommendation would be to use the easy URL FQDN option

For more information on the easy URL FQDN see:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Guest Access User Interface Reference [Cisco Identit…

View solution in original post

You should be able to do AD User Guest sign in for the initial session from the device that has a web browser.  Once they sign in you can map them to an AD User Guest Type which maps them to an endpoint identity group that grants whatever access you want.  Then in the success section of the guest portal, you can direct to a URL.  That URL could be the MyDevices portal you want to have them register non-browser based devices.  The page could say something like:

"You now have access.  If you want to register other devices please login with your AD credentials and add the MAC addresses of your other devices."

blandrum
Cisco Employee

But what URL can I point them to AFTER the initial BYOD workflow? Think of a student in a dorm who buys a new xbox a month after initial registration of their web enabled device, and they need to enter the MAC of the Xbox into the mydevices portal.

Sent from my iPhone

The same portal you redirect them to after the initial flow. Just create a new MyDevices portal and make an FQDN in the portal like mydevices.mycollege.edu. That shortcut will work anytime they want to go to it. You limit number of device each user can register though. It is a global setting that is defaulted to 5.

I don’t agree with this. I would recommend BYOD flow like I stated so that auto registration and manual registration are in same endpoint group

What is wrong with what I stated?

Also I gave the information already about the my devices easy url FQDN

Both ways will work and both will use the same endpoint identity group.

1) Build a new endpoint idenity group called Student_Devices.

2) Build a MyDevice portal that maps to Student_Devices and has an FQDN of mydevices.mycollege.edu.

3) Build an Identity Source Sequence called “Active_Directory” that has only AD in the sequence.

4) Build a Guest Type called Student that maps to Student_Devices.

5) Builde a Guest portal that has the employees using this portal set to use the Student guest type, Active_Directory as source sequence and sets the success page to https://mydevices.mycollege.edu.

All clean using standard guest mechanics with no worries about disabling client provisioning or invoking other flows.

Both work like I said though.

Ok I see what you’re doing. Don’t forget to set the portal settings for employees to use that specific student group

Are you sure the guest registered endpoints will show under my devices portal? Since it’s not the same attributes being used for BYOD?

Also not sure is sending them to a success page of the my devices portal is the correct thing to do but all depends on what they want

Instead would recommend success page give some information like your device has been registered and will be granted access for X amount of days months (nothing dynamic about this, depends on the endpoint purge settings set under portal). If you have more devices to register and they have a browser do XYZ and if they don’t then grab their MAC address and use the my devices portal

Yeah that is the only thing I am not sure about, if the guest registered endpoints (that go into Student_Devices) would show up in the My Devices portal. It is in the same endpoint identity group associated to the same user ID, but haven’t tested that out. I agree on the success page. I would probably link it to a web page that has more information and a link to MyDevices as you described.

We are using the same flow for our employees (Open SSID, AD-Authentication on CWA, BYOD Auto-Register for MAB only). But this flow is not working with Apples Captive Portal Assistant (Apple Mini Browser) enabled. We get to the following page after authenticated on CWA and accepted the AUP:

 

image.png

But "Done" is never displayed and if you click the link, you will be redirected to the start page of CWA.

 

Any ideas?

Yes there are issues with Apple captive network assistant and Apple has open bug yet to be resolved in iOS 12 from what the experts have told me

There are some threads already about that

Current recommendation is to enable captive portal bypass on the wlan for your open guest SSID used for dual SSID

Or chose different flows
For more information
https://community.cisco.com/t5/identity-services-engine-ise/bd-p/5301j-disc-ise
Go to deploy > byod for more information and read the deployment guide

View solution in original post

Thanks for the reply, jason.

Enabling the captive portal bypass leads to another problem: If you open a https website (in most cases) in safari, you will get a certificate error and this is definitely not user friendly.

Unfortunately can’t have it both ways with apples bug

Also https redirects not recommended but can understand if low traffic might be ok

https://community.cisco.com/t5/identity-services-engine-ise/ise-guest-cwa-and-https-redirection/td-p/3583892

Would recommend moving byod onboarding to another wlan or disabling https redirect

Use per wlan bypass for byod wlan

Please read the guide

Is there a Cisco or Apple Bug ID so I can track it?

Content for Community-Ad