Can users without local admin rights use ISE for BYOD EAP-TLS wireless?

webabc123 · ‎08-01-2020

We are looking for a solution that would integrate with existing EAP-TLS wifi and Cisco 9800 that would allow users with pre-approved BYOD Windows and Mac laptops to connect with only minimal IT assistance.

Most of these “BYOD” laptops are only BYOD to us since we don’t have access to manage them. The users don’t own them. They are company assigned laptops from another company (contractors) and the end users do not have admin privileges on them.

I see that the Network Setup Assistant in ISE requires the user to have administrator rights to run. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve09982/?rfs=iqvred

Can BYOD onboarding using user certificates be completed without relying on the Network Setup Assistant on Windows devices or has that “bug” in the link I posted above been fixed or have a workaround? Installing a user certificate can be done by a standard user if the certificate is presented to the user as a link to download through the browser.

webabc123 · ‎08-01-2020

I just noticed the link says there is a workaround for the Network Setup Assistant. I didn’t see the text of the workaround until I looked at the link after signing into this discussion area.

It says:
Workaround:
We can run the below command to by-pass the admin account.

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && START NetworkSetupAssistant.exe

However, how would that be automated to happen automatically during the onboarding experience? The user is not going to know how to do that.

Is that command still needed and does it work on newer versions of the Network Setup Assistant?