cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
5
Helpful
15
Replies

ISE 2.3 and BYOD without certs?

Greetings,

 

I am trying to set up BYOD, but without certs. I have it working, but wanted to find out if there is a way to skip the install part on the registration process. I found this link, but it doesn't seem to work on 2.3

https://community.cisco.com/t5/security-documents/ise-byod-onboarding-flow-how-to-skip-the-1st-2nd-onboarding-step/ta-p/3642909

 

I know if you get to this point and close out and reconnect, you get onto the network without installing software or certs, but I want to not have to explain that to everyone.

 

Thanks,

 

1 Accepted Solution

Accepted Solutions

I can try but if you’re expecting people to run the mini browser on apple as well you might have issues with javascript as likely you want them to skip 3 and goto 4 correct? On the mini browser it might change to DONE?

Let me know I can see if its possible

View solution in original post

15 Replies 15

Jason Kunst
Cisco Employee
Cisco Employee
what doesn't work exactly? Do you have the admin access to allow html/javascript

yes, I allowed java and per the instructions I see the first page sample error out, but if I try on a phone, it still steps through all 4 steps.

Interesting have you tried more than 1 browser or OS? If it doesn’t work maybe a copy/paste issue?

ok, I think this is not what I was thinking. I got it to bypass step one and two, but all the scripts are changing is the top of step 3 now says step 1, not displaying step one.

 

Basically I want to step through 1>2>4 skipping step 3 install.

ok please provide screenshot will see what i can do

As you can see, I see it flip through step 1 and 2, but still shows step 3. The scripts changes it to step 1 on the top.

IMG_0037.PNG

 

Why is it even showing the launch installers?

Have you seen this link for BYOD without certs? Have you tried this?

https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

Yeah, that's basically how i'm setup, but that still calls the BYOD portal and that is stepping through all 4 steps.

 

I can close out and reconnect and it will hit the registered rule and let them on. I may just have to change the text on step 3 to say close and reconnect, but would like to bypass it. From what i'm seeing it may not be possible.

I can try but if you’re expecting people to run the mini browser on apple as well you might have issues with javascript as likely you want them to skip 3 and goto 4 correct? On the mini browser it might change to DONE?

Let me know I can see if its possible

personally, if it can exit after 2 is submitted, that should be fine also. They may need to reconnect though to stop the registration portal. I think the cert install causes the reconnect.

Arne Bier
VIP
VIP

Hi @Dustin Anderson - what is BYOD "without certs" ?  I thought this was the whole point of BYOD.  Now you got me thinking there's a cool new way? :)

Arne it’s the link i sent in the thread

It’s registration flow with MAC address manageable by the my devices portal

Byod without supplicant or cert provisioning

Interesting - still requires Plus license though :-( But good to know

Would it be fair to say that it's a convenient way to allow devices via 802.1X to access the network instead of using PEAP and the issue of AD password expiration causing lockouts?  Since BYOD/MAC doesn't offer much in the way of security, then the main advantage can only be convenience.

 

I just think if you're paying for the Plus license you may as well go the whole hog.  The first thing that comes to mind is that someone will clone a MAC address and get onto the network without any effort.

You can do it with or without dot1x likely you would want to do it without because it defeats the purposes. You can see from the posting that it was for kindles and such. Allows users to register and manage their personal devices through a easy to use portal and flow. Yes it requires plus license for that capability. Or someone could write their own portal for my devices using api but wouldn’t have the nice flow of automatically registering Mac addresses

As you said non dot1x is a security risk but then again you would want to segment them off likely with SGT accordingly to mitigate that risk. This is personal device access remember so it doesn’t need to be that secure unless you need it to be then there are plenty of options