Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
0
Replies

BYOD Authentication on ISE

Jim Blake
Level 1
Level 1

‎01-21-2015 08:22 AM - edited ‎03-10-2019 10:22 PM

I have a slightly left-field requirement that I'm not sure how to achieve: I have a standard Wireless setup with Cisco APs and 5508 controllers, with all the usual constraints for the "corporate" WLAN, and a standard "Guest" setup, with identity management handled by ISE 1.3. However, I've been asked to come up with a "loose" BYOD configuration.

What is required is that BYOD devices (that will be restricted to Internet Access only) can self-provision. It's their authentication that I'm not sure of: I've been asked to make it so the first time a user's device connects to the wireless, (s)he gets redirected to an auto-provisioning page, and during provisioning, the user-device's MAC address is harvested and stored, so that on subsequent connections to the network, the user device connects using MAB with no user intervention.

That concerns me, as it appears from the description that anyone could self-provision, so running the risk of rogue devices using the Internet illicitly.

I wondered about the possibility of a user with access to the corporate WLAN being able to access a page that would allow them to configure their MAC address, but that is not without its problems, since they would have to manually obtain and input their MAC address, and I don't want to trust users either to be able to input their MAC accurately or not to authenticate a "friend's"  device as well as their own.

Another option (without the user having to re-authenticate manually every time they associate) is to manually harvest all the MAC addresses and configure them into an identity store, (the ISE itself, in this case) but the user wants to avoid the effort and hassle of manual collection and configuration and the associated opportunity for error.

I've read

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html

which seems to suggest that what I want to achieve may need 2 SSIDs, one for provisioning (using AD credentials for security) which allows for automatic MAC address harvesting, and a second "working" SSID for use once provisioned, but I'm not sure if I've understood the description correctly

We are talking in the mid hundreds in terms of BYOD devices.

 

Is there a proper way of doing what I'm trying to do? Its simple enough to make "tight" or "loose" security, but this "intermediate" level has me scratching my head!

 

Thanks for any advice

 

Jim

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents