Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1125
Views
0
Helpful
5
Replies

Cisco ISE and BYOD-portal

trondaker
Level 1
Level 1

‎05-10-2022 02:05 AM

Cisco ISE and BYOD portal

Not sure if this is the right section to post this in, but here we go. We are looking into using the BYOD-portal of ISE, and what we specifically need is for the employees to connect to some "register-byod" ssid first. Here they go to the portal, where they enter their email and gets an one time passord from ISE. They then use that password to register their device, and onboard the cert from ISE. They are switched over to a 802.1X ssid where they present their cert and is put into some byod-zone.

So 90% of that solution is straight forward - but i havent seen any way to do the one time passord based on if the employee puts in a valid email address (based on domain). Is this possible? Its to avoid using AD-accounts in any part of the chain.

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎05-10-2022 06:40 AM

BYOD with same SSID or different SSID for Corporate and Guest ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

trondaker
Level 1
Level 1
In response to balaji.bandi

‎05-10-2022 06:42 AM

It can be either, as long as the employees can get an otp from ISE before registering their device.

0 Helpful

Arne Bier
VIP
VIP

‎05-10-2022 01:41 PM

@trondaker - it's not straightforward to implement such a thing in ISE. I just wonder where the benefit lies in sending an email with a OTP, versus getting the user to enter their AD credentials? Email receipt is no more secure than providing AD creds. And you could lock the max devices down to 1 per user to stop any abuse of the BYOD system.  Can you please explain why avoiding AD is so important in this process?

 

Did you intend to have another middleware software in-between to do any kind of counting/control of user device enrolments? 

 

Perhaps it's worth looking at AD enrolment using a more narrow AD group instead of "\Domain Users" or whatever you may have planned to use.

0 Helpful

trondaker
Level 1
Level 1
In response to Arne Bier

‎05-11-2022 01:46 AM

The point is to try and eliminate any AD-credential use on devices that are not properly enrolled/company owned/secured.

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to trondaker

‎05-11-2022 05:40 AM

Seems that you would need a list of such devices to ensure this behavior.  Take that list and filter the MAC Addresses.  Add the MAC Addresses to an Endpoint Identity Group (BYOD uses the Registered Devices Group) and allow only the MAC address in that group.  You can disallow new devices being added in the Authentication Rule (Options > If user not found > Reject).

0 Helpful
Customers Also Viewed These Support Documents