11-06-2019 05:30 AM
Hi,
Is there any way to manually change the "BYODRegistration" flag for an endpoint in ISE? Some of the BYOD endpoints lost their registration status from "Yes" to "Unknown". Why this might happen? Does increasing the number of "Employee Registered Devices" counter reset this flag?
Regards.
Solved! Go to Solution.
11-08-2019 08:26 AM - edited 11-08-2019 08:27 AM
No, this attribute can not be changed via ERS API or ISE admin web UI. I would suggest to ignore this attribute, which is not accurate in many cases IMHO.
Updating "Employee Registered Devices" should not have reset this flag. If it does, then a bug.
11-08-2019 08:26 AM - edited 11-08-2019 08:27 AM
No, this attribute can not be changed via ERS API or ISE admin web UI. I would suggest to ignore this attribute, which is not accurate in many cases IMHO.
Updating "Employee Registered Devices" should not have reset this flag. If it does, then a bug.
11-11-2019 03:23 AM
Hi hslai,
We actually noticed that this flag changes when the device is re-profiled. Deleting the endpoint's MAC from the RegisteredEndpoints group even.
We are thinking of removing the "BYODRegistration" flag check from the authorization rules and check (among others) that the certificate presented by the user has been issued by our CA dedicated to BYOD. However, then if a user deletes a device from the "My Device Portal", that device will continue being able to connect to the network and thus, won't be a real limitation on the number of devices per user. The only way to block a device would be setting it as stolen or lost, but this is not user-friendly.
How can we tackle this?
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide