cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
235
Views
1
Helpful
2
Replies

ISE BYOD Dual SSID with bot SSIDs closed

llomjaria
Beginner
Beginner

Hi,

I am interested if it is possible to configure BYOD with dual closed SSIDs. 

When user connects to first SSID it should be redirected to portal where he will enter AD username and password and if authentication is successful the process should continue. After onboarding and posture checks he will be redirected to second SSID.

If it is possible, could you please provide documentation?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

While this could technically probably be done, I'm not sure I understand the point and it would be a poor user experience. In order to connect to the first secure SSID, the supplicant would prompt the user for their credentials (which would be PEAP-MSCHAPv2 authC in ISE). They would then be redirected to the portal and be forced to enter their credentials again for Central Web Auth, go through the BYOD enrolment process and be notified to manually change to the second SSID (Posture is not typically part of the BYOD flow).

A smoother solution would be using the Single SSID flow described in the Cisco ISE BYOD Prescriptive Deployment Guide. If Posture is required, that flow would be better suited after the BYOD enrolment as a condition for authorization. 

View solution in original post

2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

While this could technically probably be done, I'm not sure I understand the point and it would be a poor user experience. In order to connect to the first secure SSID, the supplicant would prompt the user for their credentials (which would be PEAP-MSCHAPv2 authC in ISE). They would then be redirected to the portal and be forced to enter their credentials again for Central Web Auth, go through the BYOD enrolment process and be notified to manually change to the second SSID (Posture is not typically part of the BYOD flow).

A smoother solution would be using the Single SSID flow described in the Cisco ISE BYOD Prescriptive Deployment Guide. If Posture is required, that flow would be better suited after the BYOD enrolment as a condition for authorization. 

thomas
Cisco Employee
Cisco Employee

Posture is not typical for BYOD - once you do this it is basically a managed endpoint.

If you are doing posture checks of your employee's personal devices, why not just use an MDM to enroll/provision them to a single SSID and then manage whatever security policies, applications, settings, WiFi profiles, etc. to minimize your risk concerns?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: