Guest & BYOD Device Registration only (no supplicant or certificate provisioning)

Eugene Korneychuk · ‎07-13-2016

Guest & BYOD Device Registration only (no supplicant or certificate provisioning)

Today I saw interesting Guest/BYOD use case, any idea how we can overcome it?

Problem:

Customer wants to use single guest portal for guests and employees. He wants to place Guests in one identity group (Group A) and for Employees he wants devices to be registered and placed into Registered Endpoints (Group B).

For Employees the do not want to do BYOD, they want to gave device placed in the group and success message to be displayed (skip provisioning).

Solution:

One solution we came up with is to Allow Network Access in Provisioning settings, but then the Error will be displayed on the success page (Your device is not supported).

Is there a possibility to hide this error because of bad user experience?

We tried going here:

Administration -> Device Portal Management -> BYOD -> Portal Page Customization -> BYOD Success. But Error itself is not editable.

Any idea how we can workaround it?

Jason Kunst · ‎07-13-2016

Lets simplify this some more. If they don't need BYOD at all and not requiring them to manage how many devices (via the my devices portal) then why not do this, bypass BYOD altogether

Authorization Rules in this order

if wireless mab & guest endpoint > permit guest
if wireless mab & employee endpoint > permit employee
if wireless mab & guest flow & ad group all employees > redirect to hotspot portal to put into special endpoint group (disable the AUP on hotspot so its just 1 page to register automatically)
if wireless mab > guest portal

The other option did you try would be to disable client provisioning so there are no policies at all? Allow Network Access this might be the one you need

or what if you use the options shown here and have them select Guest Access Only?

Here is where you configure the error message for BYOD, see the last entry

View solution in original post

Jason Kunst · ‎07-13-2016

Are any users required to go through BYOD with supplicant and cert provisioning?

Its not clear if this is global for all employees or those that choose to bypass the provisioning pieces.

Eugene Korneychuk · ‎07-13-2016

Hi Jason,

Thanks for looking into it.

It is global, everyone who connects to this SSID should end up in endpoints identity group. "Registered Devices" for employees vs "Whatever configured Group" for Guests.

Thanks.

Jason Kunst · ‎07-13-2016

Lets simplify this some more. If they don't need BYOD at all and not requiring them to manage how many devices (via the my devices portal) then why not do this, bypass BYOD altogether

Authorization Rules in this order

if wireless mab & guest endpoint > permit guest
if wireless mab & employee endpoint > permit employee
if wireless mab & guest flow & ad group all employees > redirect to hotspot portal to put into special endpoint group (disable the AUP on hotspot so its just 1 page to register automatically)
if wireless mab > guest portal

The other option did you try would be to disable client provisioning so there are no policies at all? Allow Network Access this might be the one you need

or what if you use the options shown here and have them select Guest Access Only?

Here is where you configure the error message for BYOD, see the last entry

Eugene Korneychuk · ‎07-14-2016

Hi Jason,

The option with the rules was proposed to the customer, but it is again bad user experience, you will have 2 redirects, which is not nice.
I tried disabling client provisioning as well - you will have different error.
Allow employees to choose guest access only - will the device be still registered? Anyway this will require additional user education.
Regarding editing errors - it is still editing it, we want to hide it. Is it possible?

Thanks!

vibobrov · ‎07-14-2016

Hi Eugene,

I would agree with what Jason originally proposed, it is a much simpler solution. Yes, there are two redirects involved in the policy. However, users will not notice multiple redirects. ISE guest portal code is able to detect subsequent redirects and hide them from the end users. Users will just see a spinning circle for a couple of seconds longer. I had multiple projects with sequential redirects and no one complained about it.

Thanks

Eugene Korneychuk · ‎07-14-2016

Hello Viktor,

Thanks for you reply, fact that no one complained does mean, there it works for everyone, right?

Anyway together with Jason we found the way how using one portal leverage 2 different identity groups for guests vs employees, having good user experience as well (no error message for employees at the end).

We can actually edit this message fully, it can be done under Guest Access > Configure > Guest Portals > Select the portal you are using > Portal Page Customization > BYOD Success > Success: Unsupported Devices.

You can change this confusing Success message here.

This is the results of the change I've did:

Thanks Everyone!