Solved: Re: Guest broken after BYOD

tisnow · ‎01-11-2017

After testing some BYOD options, I was toying around with the guest services deployments.

I've removed all profiles/certs from the endpoint, removed the client from the BYOD Registered device, however, when the client tries to log in after being sponsor approved, this message is displayed

"Endpoint is already registered to another user"

I've disabled the "automatically register devices" and that stops the automatic error message, but now clients are not put into the "GuestEndpoints" group. So they are forced to click "enable registration" to get them into that GuestEndpoints group which I use to denote that a client has registered.

Once they click "register device" they see the error ""Endpoint is already registered to another user"

So i'm stuck either way.

Ipad, Iphone and Android tested on ISE 2.1 patch 1

Jason Kunst · ‎01-11-2017

Its a guest device so it wouldn't be known when first coming in and certainly wouldn't be going through byod

Did you delete the endpoint from ise?

View solution in original post

Jason Kunst · ‎01-11-2017

Its a guest device so it wouldn't be known when first coming in and certainly wouldn't be going through byod

Did you delete the endpoint from ise?

tisnow · ‎01-11-2017

"After testing some BYOD options, I was toying around with the guest services deployments."

The client was used for BYOD testing, then we wanted to test some guest options.

I removed it as a registered device group, but when the guest system is set to "automatically register devices" it throws the error about the system. I can indeed add the system MAC manually as a GuestEndpoint and then my guest flow works but my question is if i've hit a bug or why a pre-registered BYOD system, once removed from the Registered Devices is not able to be a guest.

Do we expect that we may never see a previously registered (then removed) BYOD device become a guest?

Jason Kunst · ‎01-11-2017

I understand what you were doing, my only point is that it's still in the endpoint database even though you removed it from the byod group, Did you delete the endpoint completely from ise?

I agree It could happen that a byod device later goes through guest but think the use case is rare

tisnow · ‎01-11-2017

Can you advise how to remove it "completely" from ise?

I made the assumption removing it from the RegisteredEndpoints would allow it to be registered.

What happens if I have a registered device, that employee leaves and it was provided to someone else to use as a Corporate Device that is registered?

Jason Kunst · ‎01-11-2017

In ISE 2.2 and perhaps 2.1 Context Visibility > Endpoints

Other releases

Administration > Identities > Endpoints

For your use case perhaps they have to handle how to transfer assets as it wouldn’t be registered to the correct person any longer

tisnow · ‎01-11-2017

"Administration > Identities > Endpoints"

This purges the system from the Database whereas removing from the RegisteredDevices does not?

Is there any other options I need to look at as I'll have time in the morning to test this out.

Thanks Jason.

Jason Kunst · ‎01-11-2017

Correct, that should be it, make sure you remove the profiles from the endpoint, forget any SSIDs, turn off the wirlesss, clear the wireless session and then delete the endpoint from the database, that would be a clean guest endpoint coming in

Remove from registered devices just removes it from the group not from ISE database.

TM13 · ‎03-26-2018

Hi Jason,

So one device cannot be used on both BYOD and Corp wireless networks?

Jason Kunst · ‎03-26-2018

Please open a new thread and explain your use case needs

tisnow · ‎01-11-2017

Confirmed the following

Deleting from the group as RegisteredDevices doesn't fix the problem

Deleting from Context>Endpoint does indeed solve the problem

Thanks Jason

Guest broken after BYOD

Re: ISE BYOD Flow Using Azure AD

WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

ISE BYOD

Cisco ISE BYOD Prescriptive Deployment Guide

ISE BYOD Endpoint notes