08-07-2019 06:01 AM
Hi All,
We are trying to setup ISE BYOD registration only on an open SSID and have followed the guide here https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290 . Now there seems like there might be a missing screen shot or instructions under the "PEAP connection > BYOD registration portal (NSP)" but we keep getting the following error on the BYOD page
Has any one else come across this issue or know how to fix this? We are running ISE 2.4 Patch 8
Solved! Go to Solution.
08-07-2019 06:48 AM
It looks like you are using open SSID with BYOD portal. BYOD portal need to be tied with 802.1X SSID for it to learn the username. Alternatively you can use guest portal instead of BYOD portal if you want to use open SSID and simply enable 'Allow employees to use personal devices on the network' under BYOD settings. This allows username to be learned via WebAuth. I suggest going through the BYOD prescriptive deployment guide.
08-08-2019 06:14 AM
You can do this using the My Devices portal. The student would log on to this portal using their 802.1x credentials and register the devices in their dorm by MAC address. You can make this a known URL for students to use and, alternately, you could also place a link at the top or bottom of the BYOD Portal page as shown below:
Follow this guide to set your portal(s) for customization and then use this code to create the button:
<a href="https://[[ENTER YOUR MY DEVICES URL HERE]]"><button type="submit">Register a device using My Devices</button></a>
To have this at the top of the page, use Optional Content 1. For the bottom of the page, use Optional Content 2
08-07-2019 06:48 AM
It looks like you are using open SSID with BYOD portal. BYOD portal need to be tied with 802.1X SSID for it to learn the username. Alternatively you can use guest portal instead of BYOD portal if you want to use open SSID and simply enable 'Allow employees to use personal devices on the network' under BYOD settings. This allows username to be learned via WebAuth. I suggest going through the BYOD prescriptive deployment guide.
08-08-2019 03:54 AM
ok, so is it possible to use a single SSID that can onboard BYOD devices for students but also allow them to manage their other devices like apple tvs, xbox, playstation's & amazon echo's by adding them to the my devices portal so they can connect to the same SSID?
Think of example students in their onsite rooms. They connect unknown device to SSID "ResNet" get redirected to the BYOD portal, register device, device gets added to "RegisterDevices" & they are allowed access but they may have other non-compliant devices that they need to connect to the same SSID. How would this work if the SSID has to be dot1x enabled?
08-08-2019 06:14 AM
You can do this using the My Devices portal. The student would log on to this portal using their 802.1x credentials and register the devices in their dorm by MAC address. You can make this a known URL for students to use and, alternately, you could also place a link at the top or bottom of the BYOD Portal page as shown below:
Follow this guide to set your portal(s) for customization and then use this code to create the button:
<a href="https://[[ENTER YOUR MY DEVICES URL HERE]]"><button type="submit">Register a device using My Devices</button></a>
To have this at the top of the page, use Optional Content 1. For the bottom of the page, use Optional Content 2
08-08-2019 06:39 AM
Thanks, we do have the My Devices Portal setup & the end user can get to this & add devices. My question was would a non-compliant device still connect to the SSID if it can't do 802.1x?
We have tried registering Apple TVs via the portal but get the error "incorrect username or password" even when one has not been entered.
08-08-2019 06:51 AM
08-08-2019 09:02 AM
Apple devices are not capable of doing 802.1x???
I'm assuming you mean Apple TV.
I thought that would be the case. Shame, really do not wont to put out another SSID just for a few PlayStations & the like. I think we are going to stick with the one & just have them go through a customised guest portal that only allows students to register & my devices portal for their other devices. We are not using supplicant based provisioning either. All we want is the user to register & then success, no certs or downloading profiles. It only means you end up supporting their devices when they go wrong.
08-08-2019 09:45 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide