Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
0
Helpful
3
Replies

ISE BYOD MAC onboarding

Go to solution
azhar_eaggle1
Level 1
Level 1

‎04-10-2019 01:57 PM

for BYOD, can we USE MAC Address instead of Cert ?

we have Customer with ISE 2.4, does not wants to use cert onboarding and wants to keep mac address without adding?

Flow should be like This. 

end devices connect to BYOD SSID, then ask for ad user/password. then ISE keep mac and next time ISE should not ask user/password. and next time use mac for authentication. 

Customer does not want to add mac manually. after first time login with AD username/password. ise should Keep its mac for certain period.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-10-2019 07:27 PM

This is just standard sponsored guest portal setup.  In the sponsored guest portal you have the options to set a guest type for "Employees using this portal".  That guest type is tied to an endpoint identity group.  You decide how often to purge that identity group. 

 

So employee connects to the SSID, gets redirected to the portal, enters their AD credentials, optionally accepts an AUP page and then their MAC address is added to the endpoint identity group you specified in the employee guest type.  How often you purge the endpoint identity group determines how often the employees have to see the portal.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎04-10-2019 07:27 PM

This is just standard sponsored guest portal setup.  In the sponsored guest portal you have the options to set a guest type for "Employees using this portal".  That guest type is tied to an endpoint identity group.  You decide how often to purge that identity group. 

 

So employee connects to the SSID, gets redirected to the portal, enters their AD credentials, optionally accepts an AUP page and then their MAC address is added to the endpoint identity group you specified in the employee guest type.  How often you purge the endpoint identity group determines how often the employees have to see the portal.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎04-10-2019 07:39 PM

I recommend understand the respective prescriptive guides under http://cs.co/ise-byod and ise-guest
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-11-2019 09:30 AM

I don’t understand why you would think about doing this.

If you’re using dot1x you’re using some sort of saved credentials. Either cert of username/password. You need these for proper authentication, otherwise it won’t work.

MAB is used on open networks or perhaps even WPA-PSK and can register a device into an endpoint group
see cisco live - https://www.ciscolive.com/global/on-demand-library.html?search=federico%20z%20barcelona#/session/1532112828591001teh9
guest design guide under http://cs.co/ise-guest and http://cs.co/ise-byod

0 Helpful
Customers Also Viewed These Support Documents