Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
1
Helpful
3
Replies

ISE 2.0 - BYOD registration without CP/NSP

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-17-2017 05:48 PM

Hi team,

I need to determine if I can push an endpoint through the BYOD registration without going through the Client Provisioning Policy and NSP.

Here is a customer scenario that I currently have:

  • Windows machine configured for EAP-TLS with Machine Auth.
  • Upon login, the user is directed to the CWA portal with Self Registration and BYOD flows enabled. The user inputs their credentials and the BYOD flow is kicked off to provision with a User cert and NSP to enable User auth.
  • After Registration, the user is then redirected to the CP Portal for Posture.

This issue I have is that, if the endpoint is deleted (for troubleshooting, etc), the only way to classify it as a Registered device again (BYODRegistration = Yes; EID = RegisteredDevices) is to push it back through the BYOD & NSP flow. This would install the Root/User certs again which is unnecessary.

I need to create a BYOD flow that simply Registers the endpoint again (BYODRegistration = Yes; EID = RegisteredDevices) without pushing the NSP to install the certs again.

I've seen Jason's blog post - https://supportforums.cisco.com/blog/12705471/ise-byod-registration-only-without-native-supplicant-or-certificate-provisioning - but that is not the same scenario as I still need the CP Policy for the cert provisioning scenario above.

I've looked to see if I can exclude this scenario in the CP Policy, but there's nothing I can match on.

Is the flow I'm attempting possible? If so, how?

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-17-2017 08:38 PM

If you would like to file an enhancement, please contact our PM team.

If your customer may upgrade to ISE 2.1, then we may import the endpoints from file with a configured PortalUser attribute. Below is a sample CSV file for ISE 2.1:

MACAddress,EndPointPolicy,IdentityGroup,PortalUser


00:00:00:00:00:12,,,employee1@demo.local

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-17-2017 07:44 PM

Why not using ISE endpoint ERS API to re-register the endpoints? Or, simply use ISE MyDevices portal to add the endpoints.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to hslai

‎01-17-2017 08:19 PM

Hi HT,

The customer is not using the ERS API, so that’s not an option they are comfortable with. The MyDevices portal would be an option, but they are not currently using that functionality either.

I was hoping for a more automated process through a CWA/BYOD flow, but it sounds like that is not a supported flow (seems like it should be a valid flow).

I’ll have to communicate the option of using the MyDevices portal.

Thanks,

Greg Gibbs

Cisco Security Solutions Architect / Australia

w: +61 3 9659 4309 m: +61 4 1040 5656

Webex: https://cisco.webex.com/meet/grgibbs

grgibbs@cisco.com<mailto:grgibbs@cisco.com>

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎01-17-2017 08:38 PM

If you would like to file an enhancement, please contact our PM team.

If your customer may upgrade to ISE 2.1, then we may import the endpoints from file with a configured PortalUser attribute. Below is a sample CSV file for ISE 2.1:

MACAddress,EndPointPolicy,IdentityGroup,PortalUser


00:00:00:00:00:12,,,employee1@demo.local
0 Helpful
Customers Also Viewed These Support Documents