Re: ISE BYOD DNS/Certificates

pinglis · ‎11-18-2025

We are looking at setting up BYOD using ISE. We already have a guest SSID configured and plan to use a new BYOD SSID (single SSID method). My question relates to the DNS name and certificate configuration for the BYOD registration portal.

My original thought was to set up a new DNS name/certificate for BYOD, so it would be different from the guest access, e.g.

guest.company,com

byod.company.com

But default the guest and BYOD portals use the same port 8443 and therefore have to use the same portal group/certificate.

This got me thinking what if any is the technical/security benefit of using different DNS name?

What about BYOD Retry URL? Would it cause an issue if this pointed to the guest DNS name?

Greg Gibbs · ‎11-18-2025

Both the Guest and BYOD flows are redirect flows. The Portal session needs to redirect to the same PSN that handles the RADIUS session, so it makes no sense to define 'friendly' FQDNs in the certificate for either of these flows as they will not be used.

See the Cisco ISE BYOD Prescriptive Deployment Guide

pinglis · ‎11-19-2025

Thanks for the quick answer. We are using a different FQDN for the guest flow as we need to public certificate to prevent certificate warnings on none corporate devices.

In terms of the BYOD redirect URL I am still not fully understanding how this works and what I would put here.

If for example we are using guest.company.com FQDN. Would I just put https://guest.company.com:8443 or something else?

How does ISE know to use the BYOD flow and not the guest flow?