Solved: BYOD for Employee using REST / Entra External Identity Source

GRANT3779 · ‎10-09-2025

I have a 3.4 ISE deployment on latest patch. It is "connected" to Entra via REST as an external identity store. I have pulled down a group from Entra (call it BYOD-EMPLOYEE) and I'd like to achieve the following -

Have a BYOD style portal or similar for "employees" that allow them to login to portal using Entra credentials and have ISE check if they are a member of the group "BYOD-EMPLOYEE" which I have pulled down and then provide Internet only. Is this achievable using a portal and the REST Entra Identity source I have setup?

Greg Gibbs · ‎10-09-2025

It sounds like this exact use case:
ISE BYOD Flow Using Entra ID

View solution in original post

Greg Gibbs · ‎10-09-2025

It sounds like this exact use case:
ISE BYOD Flow Using Entra ID

GRANT3779 · ‎10-23-2025

Thanks @Greg Gibbs. Seem to have his all setup now. When I click test portal within ISE I get the redirect where I can enter my Entra credentials and it authenticates. I then get the following splash page from ISE however.

The URL when this page is returned is
https://PSN IP Address:8443/portal/SSOLoginResponse.action

I haven't yet tested the SSID itself yet to see what the results are.

Should Entra be returning any sort of page after authentication? Are redirect URIs required in this setup?

Greg Gibbs · ‎10-26-2025

I would not expect this to work from the portal test page, and I did not need to add any redirect URIs.

You would need to test it from an actual wireless endpoint.