cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1131
Views
1
Helpful
3
Replies
Greg Gibbs
Cisco Employee

ISE 2.0 - BYOD registration without CP/NSP

Hi team,

I need to determine if I can push an endpoint through the BYOD registration without going through the Client Provisioning Policy and NSP.

Here is a customer scenario that I currently have:

  • Windows machine configured for EAP-TLS with Machine Auth.
  • Upon login, the user is directed to the CWA portal with Self Registration and BYOD flows enabled. The user inputs their credentials and the BYOD flow is kicked off to provision with a User cert and NSP to enable User auth.
  • After Registration, the user is then redirected to the CP Portal for Posture.

This issue I have is that, if the endpoint is deleted (for troubleshooting, etc), the only way to classify it as a Registered device again (BYODRegistration = Yes; EID = RegisteredDevices) is to push it back through the BYOD & NSP flow. This would install the Root/User certs again which is unnecessary.

I need to create a BYOD flow that simply Registers the endpoint again (BYODRegistration = Yes; EID = RegisteredDevices) without pushing the NSP to install the certs again.

I've seen Jason's blog post - https://supportforums.cisco.com/blog/12705471/ise-byod-registration-only-without-native-supplicant-or-certificate-provisioning - but that is not the same scenario as I still need the CP Policy for the cert provisioning scenario above.

I've looked to see if I can exclude this scenario in the CP Policy, but there's nothing I can match on.

Is the flow I'm attempting possible? If so, how?

1 ACCEPTED SOLUTION

Accepted Solutions

If you would like to file an enhancement, please contact our PM team.

If your customer may upgrade to ISE 2.1, then we may import the endpoints from file with a configured PortalUser attribute. Below is a sample CSV file for ISE 2.1:

MACAddress,EndPointPolicy,IdentityGroup,PortalUser

00:00:00:00:00:12,,,employee1@demo.local

View solution in original post

3 REPLIES 3
hslai
Cisco Employee

Why not using ISE endpoint ERS API to re-register the endpoints? Or, simply use ISE MyDevices portal to add the endpoints.

Hi HT,

The customer is not using the ERS API, so that’s not an option they are comfortable with. The MyDevices portal would be an option, but they are not currently using that functionality either.

I was hoping for a more automated process through a CWA/BYOD flow, but it sounds like that is not a supported flow (seems like it should be a valid flow).

I’ll have to communicate the option of using the MyDevices portal.

Thanks,

Greg Gibbs

Cisco Security Solutions Architect / Australia

w: +61 3 9659 4309 m: +61 4 1040 5656

Webex: https://cisco.webex.com/meet/grgibbs

grgibbs@cisco.com<mailto:grgibbs@cisco.com>

If you would like to file an enhancement, please contact our PM team.

If your customer may upgrade to ISE 2.1, then we may import the endpoints from file with a configured PortalUser attribute. Below is a sample CSV file for ISE 2.1:

MACAddress,EndPointPolicy,IdentityGroup,PortalUser

00:00:00:00:00:12,,,employee1@demo.local

View solution in original post

Content for Community-Ad