03-29-2018 04:50 AM
I'm trying to work through a workflow where a user logs into ISE via GuestPortal on a capable machine (something with a web browser), logs in with their AD credentials, and self-registers their device (just MAB, no dot1x). This part of the workflow is easy and complete. The second part of the workflow would have them connecting directly to a link from that same workstation and registering multiple devices that don't have a web browser (printers, game consoles, lab devices, etc.) and I can't seem to find any documentation on how to expose the "MyDevices" portal.
If someone could simply point me to some documentation on directly exposing MyDevices, I would greatly appreciate it.
Solved! Go to Solution.
03-29-2018 08:11 AM
Guest flow device registration is not the same as BYOD/ my devices
Guest flow use the guestendpoints group under the guest type
BYOD is registereddevice group for associated flow
The recommendation for employees would be to go through the BYOD flow without guest registration and to disable native supplicant and certificate provisioning, use the my devices portal for those dumb devices
1. Connect to GUEST SSID
2. login as non-guest
3. non-guest forced through BYOD flow
4. endpoint registered into registereddevices
The my devices portal is accessed under the portal test url under the portal page settings. The recommendation would be to use the easy URL FQDN option
For more information on the easy URL FQDN see:
09-27-2018 03:52 AM
03-29-2018 08:11 AM
Guest flow device registration is not the same as BYOD/ my devices
Guest flow use the guestendpoints group under the guest type
BYOD is registereddevice group for associated flow
The recommendation for employees would be to go through the BYOD flow without guest registration and to disable native supplicant and certificate provisioning, use the my devices portal for those dumb devices
1. Connect to GUEST SSID
2. login as non-guest
3. non-guest forced through BYOD flow
4. endpoint registered into registereddevices
The my devices portal is accessed under the portal test url under the portal page settings. The recommendation would be to use the easy URL FQDN option
For more information on the easy URL FQDN see:
03-29-2018 06:59 PM
You should be able to do AD User Guest sign in for the initial session from the device that has a web browser. Once they sign in you can map them to an AD User Guest Type which maps them to an endpoint identity group that grants whatever access you want. Then in the success section of the guest portal, you can direct to a URL. That URL could be the MyDevices portal you want to have them register non-browser based devices. The page could say something like:
"You now have access. If you want to register other devices please login with your AD credentials and add the MAC addresses of your other devices."
03-29-2018 07:19 PM
But what URL can I point them to AFTER the initial BYOD workflow? Think of a student in a dorm who buys a new xbox a month after initial registration of their web enabled device, and they need to enter the MAC of the Xbox into the mydevices portal.
Sent from my iPhone
03-29-2018 07:28 PM
The same portal you redirect them to after the initial flow. Just create a new MyDevices portal and make an FQDN in the portal like mydevices.mycollege.edu. That shortcut will work anytime they want to go to it. You limit number of device each user can register though. It is a global setting that is defaulted to 5.
03-29-2018 08:34 PM
I don’t agree with this. I would recommend BYOD flow like I stated so that auto registration and manual registration are in same endpoint group
What is wrong with what I stated?
Also I gave the information already about the my devices easy url FQDN
03-30-2018 05:33 AM
Both ways will work and both will use the same endpoint identity group.
1) Build a new endpoint idenity group called Student_Devices.
2) Build a MyDevice portal that maps to Student_Devices and has an FQDN of mydevices.mycollege.edu.
3) Build an Identity Source Sequence called “Active_Directory” that has only AD in the sequence.
4) Build a Guest Type called Student that maps to Student_Devices.
5) Builde a Guest portal that has the employees using this portal set to use the Student guest type, Active_Directory as source sequence and sets the success page to https://mydevices.mycollege.edu.
All clean using standard guest mechanics with no worries about disabling client provisioning or invoking other flows.
Both work like I said though.
03-30-2018 05:46 AM
Ok I see what you’re doing. Don’t forget to set the portal settings for employees to use that specific student group
Are you sure the guest registered endpoints will show under my devices portal? Since it’s not the same attributes being used for BYOD?
Also not sure is sending them to a success page of the my devices portal is the correct thing to do but all depends on what they want
Instead would recommend success page give some information like your device has been registered and will be granted access for X amount of days months (nothing dynamic about this, depends on the endpoint purge settings set under portal). If you have more devices to register and they have a browser do XYZ and if they don’t then grab their MAC address and use the my devices portal
03-30-2018 05:57 AM
Yeah that is the only thing I am not sure about, if the guest registered endpoints (that go into Student_Devices) would show up in the My Devices portal. It is in the same endpoint identity group associated to the same user ID, but haven’t tested that out. I agree on the success page. I would probably link it to a web page that has more information and a link to MyDevices as you described.
09-26-2018 11:34 PM
We are using the same flow for our employees (Open SSID, AD-Authentication on CWA, BYOD Auto-Register for MAB only). But this flow is not working with Apples Captive Portal Assistant (Apple Mini Browser) enabled. We get to the following page after authenticated on CWA and accepted the AUP:
But "Done" is never displayed and if you click the link, you will be redirected to the start page of CWA.
Any ideas?
09-27-2018 03:52 AM
09-27-2018 04:05 AM
Thanks for the reply, jason.
Enabling the captive portal bypass leads to another problem: If you open a https website (in most cases) in safari, you will get a certificate error and this is definitely not user friendly.
09-27-2018 04:15 AM
09-27-2018 06:21 AM
Is there a Cisco or Apple Bug ID so I can track it?
09-27-2018 09:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide