cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6686
Views
2
Helpful
6
Replies
Eugene Korneychuk
Cisco Employee

Guest & BYOD Device Registration only (no supplicant or certificate provisioning)

Guest & BYOD Device Registration only (no supplicant or certificate provisioning)

Today I saw interesting Guest/BYOD use case, any idea how we can overcome it?

Problem:

Customer wants to use single guest portal for guests and employees. He wants to place Guests in one identity group (Group A) and for Employees he wants devices to be registered and placed into Registered Endpoints (Group B).

For Employees the do not want to do BYOD, they want to gave device placed in the group and success message to be displayed (skip provisioning).

Screen Shot 2016-07-13 at 16.10.16.png

Solution:

One solution we came up with is to Allow Network Access in Provisioning settings, but then the Error will be displayed on the success page (Your device is not supported).

Screen Shot 2016-07-13 at 16.12.48.png

Is there a possibility to hide this error because of bad user experience?

We tried going here:

Administration -> Device Portal Management -> BYOD -> Portal Page Customization -> BYOD Success. But Error itself is not editable.

Any idea how we can workaround it?

1 ACCEPTED SOLUTION

Accepted Solutions

Lets simplify this some more. If they don't need BYOD at all and not requiring them to manage how many devices (via the my devices portal) then why not do this, bypass BYOD altogether

Authorization Rules in this order

  • if wireless mab & guest endpoint > permit guest
  • if wireless mab & employee endpoint > permit employee
  • if wireless mab & guest flow & ad group all employees > redirect to hotspot portal to put into special endpoint group (disable the AUP on hotspot so its just 1 page to register automatically)
  • if wireless mab > guest portal

The other option did you try would be to disable client provisioning so there are no policies at all? Allow Network Access this might be the one you need

8879D628-AFBB-4C19-B796-AE7E5A3A82B9.png

or what if you use the options shown here and have them select Guest Access Only?

Screen Shot 2016-07-13 at 5.15.38 PM.png

Here is where you configure the error message for BYOD, see the last entryScreen Shot 2016-07-13 at 5.17.55 PM.png

View solution in original post

6 REPLIES 6
Jason Kunst
Cisco Employee

Are any users required to go through BYOD with supplicant and cert provisioning?

Its not clear if this is global for all employees or those that choose to bypass the provisioning pieces.

Hi Jason,

Thanks for looking into it.

It is global, everyone who connects to this SSID should end up in endpoints identity group. "Registered Devices" for employees vs "Whatever configured Group" for Guests.

Thanks.

Lets simplify this some more. If they don't need BYOD at all and not requiring them to manage how many devices (via the my devices portal) then why not do this, bypass BYOD altogether

Authorization Rules in this order

  • if wireless mab & guest endpoint > permit guest
  • if wireless mab & employee endpoint > permit employee
  • if wireless mab & guest flow & ad group all employees > redirect to hotspot portal to put into special endpoint group (disable the AUP on hotspot so its just 1 page to register automatically)
  • if wireless mab > guest portal

The other option did you try would be to disable client provisioning so there are no policies at all? Allow Network Access this might be the one you need

8879D628-AFBB-4C19-B796-AE7E5A3A82B9.png

or what if you use the options shown here and have them select Guest Access Only?

Screen Shot 2016-07-13 at 5.15.38 PM.png

Here is where you configure the error message for BYOD, see the last entryScreen Shot 2016-07-13 at 5.17.55 PM.png

View solution in original post

Hi Jason,

  • The option with the rules was proposed to the customer, but it is again bad user experience, you will have 2 redirects, which is not nice.
  • I tried disabling client provisioning as well - you will have different error.
  • Allow employees to choose guest access only - will the device be still registered? Anyway this will require additional user education.
  • Regarding editing errors - it is still editing it, we want to hide it. Is it possible?

Thanks!

Hi Eugene,

I would agree with what Jason originally proposed, it is a much simpler solution. Yes, there are two redirects involved in the policy. However, users will not notice multiple redirects. ISE guest portal code is able to detect subsequent redirects and hide them from the end users. Users will just see a spinning circle for a couple of seconds longer. I had multiple projects with sequential redirects and no one complained about it.

Thanks

Hello Viktor,

Thanks for you reply, fact that no one complained does mean, there it works for everyone, right?

Anyway together with Jason we found the way how using one portal leverage 2 different identity groups for guests vs employees, having good user experience as well (no error message for employees at the end).

We can actually edit this message fully, it can be done under Guest Access > Configure > Guest Portals > Select the portal you are using > Portal Page Customization > BYOD Success > Success: Unsupported Devices.

You can change this confusing Success message here.

Screen Shot 2016-07-14 at 11.21.24.png

This is the results of the change I've did:

Screen Shot 2016-07-14 at 11.24.53.png

Thanks Everyone!

Content for Community-Ad