Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
5
Helpful
5
Replies

ISE 2.4 - Manage Registered Guest Devices

Go to solution
twmjr
Level 1
Level 1

‎08-22-2018 07:18 AM

Hello,

 

I am trying to create a flow to support a requirement of my customer and can't seem to get what I'm looking for. The requirements look something like this:

 

1) Employee connects to an SSID and logs into a guest (CWA) portal using RADIUS credentials

2) The employee is offered the option to register their device to avoid the login in step 1 of future connections

3) While on the regular business network, the employee can log into a portal (e.g. MyDevice) to manage their registered devices

 

The main problem I'm having is that I can't seem to figure out how to tie the registrations in step 2 into the portal in step 3. Even if I create a MyDevice portal with the same Endpoint Group and same Authentication Method, devices registered in step 2 don't appear in the portal.

 

I am not using BYOD because the customer does not want any kind of provisioning to be required for the devices, and we want to be able to secure the registration process behind a portal login.

 

Is there a standard/supported way to do what I'm trying to do? Am I missing something obvious? Is our use of RADIUS as the authentication protocol (vs. AD/LDAP) part of the problem?

 

Thanks in advance...

0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
twmjr
Level 1
Level 1
In response to howon

‎08-22-2018 07:30 AM

Hi howon - thanks for the quick response. The link seems to address how to get employee devices added without BYOD installation being required but not how to allow employees to manage devices after registration from the internal network.
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to twmjr

‎08-22-2018 07:37 AM

If this flow is used, then devices will show up in the MyDevicesPortal.

0 Helpful

Go to solution
paul
Level 10
Level 10

‎08-22-2018 07:30 AM

In my opinion the customer is trying to make this more complicated then it needs to be.  Why would an employee need to manage their devices when you are talking about Guest access?

 

When you setup a port with a login you have two types of guests

 

  1. Normal guests that are either self-registered (with optional sponsor approval) or sponsored guests.  These guests map to guest types and you can control what endpoint identity groups these guests map to.
  2. Guests authenticating against any external authentication source (RADIUS, AD, LDAP, etc.).  You control in the portal what guest type these logins map to, i.e. Employee-BYOD for example.  That guest type gets mapped to a unique endpoint identity group, i.e. Employee-BYOD.

 

You dictate in the guest type how many devices they guest can have and what happens if they go over that number.  You also setup purge jobs to control how often each guest type sees the portal.  

 

I never give the employees or guest options to register anything. They are automatically registered to the endpoint group dictated by the guest type and they are allowed to have as many devices as I have configured in the guest type.   

 

 

 

Go to solution
twmjr
Level 1
Level 1
In response to paul

‎08-22-2018 07:45 AM

I don't necessarily disagree with you -- the problem is that what you've laid out doesn't meet the customer requirements. They very explicitly want employees to be able to manage their devices after registration from portal.

 

I need to at least try to make their requirements work before I try to push them to something else.

0 Helpful
Customers Also Viewed These Support Documents