cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
5
Replies

Configuring a guest portal solely for BYOD Certificate Renewal

adesalvatore
Level 1
Level 1

I'm running ISE 2.4 Patch 10, and I'm hitting a roadblock when my BYOD users are trying to renew their (expiring) certificates. I've built an AuthZ profile that is applied when a user's BYOD certificate is within 30 days of expiration.

 

CWA Annotation 2019-10-21 145424.png

 

I thought that all I needed to do was select Centralized Web Auth, but anytime a user hits the web redirect, they get this "Unable to obtain the user information needed" error message:

 

BYOD-error.PNG

 

I'm thinking at this point that the CWA is failing (and falling through to NSP) because I never selected a portal in the "Value" field. I found a few guides online, but they all seem to assume that I already have a Guest Portal which requires users to login. I have a Guest SSID which only requires AUP acceptance to connect, and I have a single-SSID BYOD network. Am I on the right track? Does anyone know of a tutorial for setting up a Guest portal which would only be used for BYOD cert renewal that I may have missed or is my best bet to open a TAC case and see if they can provide a config?

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

You will need to use guest portal instead of BYOD portal for renewal. This allows ISE to confirm the user identity instead of assuming that the user should get a certificate because one was already assigned from previous flow. IOW, we want to confirm the user should get a certificate every time it is renewed. The document doesn't have full instructions, but goes through few options to deal with expiring certificates:

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-1375030637

 

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee
BYOD in single SSID flow doesn’t use guest (CWA portal), BYOD using NSP (native supplicant provisioning portal) did you try to choose that and the BYOD portal you used for your BYOD portal?

I haven't tried that, but it makes perfect sense. I'll give it a try and see what happens. Thanks very much!

When I switch from CWA to NSP, the option to "Display Certificates Renewal Message" disappears - so it seems that won't work for renewing the BYOD certificates.

Did you try assigning a portal? This is so the user can provide the username and password to associate to byod flow and certificate generation

howon
Cisco Employee
Cisco Employee

You will need to use guest portal instead of BYOD portal for renewal. This allows ISE to confirm the user identity instead of assuming that the user should get a certificate because one was already assigned from previous flow. IOW, we want to confirm the user should get a certificate every time it is renewed. The document doesn't have full instructions, but goes through few options to deal with expiring certificates:

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-1375030637