Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
1
Helpful
2
Replies

ISE BYOD Dual SSID with bot SSIDs closed

Go to solution
llomjaria
Level 1
Level 1

‎11-02-2023 05:34 AM

Hi,

I am interested if it is possible to configure BYOD with dual closed SSIDs. 

When user connects to first SSID it should be redirected to portal where he will enter AD username and password and if authentication is successful the process should continue. After onboarding and posture checks he will be redirected to second SSID.

If it is possible, could you please provide documentation?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-02-2023 02:21 PM

While this could technically probably be done, I'm not sure I understand the point and it would be a poor user experience. In order to connect to the first secure SSID, the supplicant would prompt the user for their credentials (which would be PEAP-MSCHAPv2 authC in ISE). They would then be redirected to the portal and be forced to enter their credentials again for Central Web Auth, go through the BYOD enrolment process and be notified to manually change to the second SSID (Posture is not typically part of the BYOD flow).

A smoother solution would be using the Single SSID flow described in the Cisco ISE BYOD Prescriptive Deployment Guide. If Posture is required, that flow would be better suited after the BYOD enrolment as a condition for authorization. 

View solution in original post

2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-02-2023 02:21 PM

While this could technically probably be done, I'm not sure I understand the point and it would be a poor user experience. In order to connect to the first secure SSID, the supplicant would prompt the user for their credentials (which would be PEAP-MSCHAPv2 authC in ISE). They would then be redirected to the portal and be forced to enter their credentials again for Central Web Auth, go through the BYOD enrolment process and be notified to manually change to the second SSID (Posture is not typically part of the BYOD flow).

A smoother solution would be using the Single SSID flow described in the Cisco ISE BYOD Prescriptive Deployment Guide. If Posture is required, that flow would be better suited after the BYOD enrolment as a condition for authorization. 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-06-2023 04:12 PM

Posture is not typical for BYOD - once you do this it is basically a managed endpoint.

If you are doing posture checks of your employee's personal devices, why not just use an MDM to enroll/provision them to a single SSID and then manage whatever security policies, applications, settings, WiFi profiles, etc. to minimize your risk concerns?

0 Helpful
Customers Also Viewed These Support Documents