cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1295
Views
0
Helpful
3
Replies

ISE BYOD MAC onboarding

azhar_eaggle1
Level 1
Level 1

for BYOD, can we USE MAC Address instead of Cert ?

we have Customer with ISE 2.4, does not wants to use cert onboarding and wants to keep mac address without adding?

Flow should be like This. 

end devices connect to BYOD SSID, then ask for ad user/password. then ISE keep mac and next time ISE should not ask user/password. and next time use mac for authentication. 

Customer does not want to add mac manually. after first time login with AD username/password. ise should Keep its mac for certain period.

 

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

This is just standard sponsored guest portal setup.  In the sponsored guest portal you have the options to set a guest type for "Employees using this portal".  That guest type is tied to an endpoint identity group.  You decide how often to purge that identity group. 

 

So employee connects to the SSID, gets redirected to the portal, enters their AD credentials, optionally accepts an AUP page and then their MAC address is added to the endpoint identity group you specified in the employee guest type.  How often you purge the endpoint identity group determines how often the employees have to see the portal.

View solution in original post

3 Replies 3

paul
Level 10
Level 10

This is just standard sponsored guest portal setup.  In the sponsored guest portal you have the options to set a guest type for "Employees using this portal".  That guest type is tied to an endpoint identity group.  You decide how often to purge that identity group. 

 

So employee connects to the SSID, gets redirected to the portal, enters their AD credentials, optionally accepts an AUP page and then their MAC address is added to the endpoint identity group you specified in the employee guest type.  How often you purge the endpoint identity group determines how often the employees have to see the portal.

I recommend understand the respective prescriptive guides under http://cs.co/ise-byod and ise-guest

Jason Kunst
Cisco Employee
Cisco Employee
I don’t understand why you would think about doing this.

If you’re using dot1x you’re using some sort of saved credentials. Either cert of username/password. You need these for proper authentication, otherwise it won’t work.

MAB is used on open networks or perhaps even WPA-PSK and can register a device into an endpoint group
see cisco live - https://www.ciscolive.com/global/on-demand-library.html?search=federico%20z%20barcelona#/session/1532112828591001teh9
guest design guide under http://cs.co/ise-guest and http://cs.co/ise-byod