cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4021
Views
0
Helpful
7
Replies

ISE BYOD Wireless Registration Only Error

Jason Weids
Level 1
Level 1

Hi All,

 

We are trying to setup ISE BYOD registration only on an open SSID and have followed the guide here https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290 .  Now there seems like there might be a missing screen shot or instructions under the "PEAP connection > BYOD registration portal (NSP)" but we keep getting the following error on the BYOD pagebyod error.PNG

Has any one else come across this issue or know how to fix this?  We are running ISE 2.4 Patch 8

2 Accepted Solutions

Accepted Solutions

howon
Cisco Employee
Cisco Employee

It looks like you are using open SSID with BYOD portal. BYOD portal need to be tied with 802.1X SSID for it to learn the username. Alternatively you can use guest portal instead of BYOD portal if you want to use open SSID and simply enable 'Allow employees to use personal devices on the network' under BYOD settings. This allows username to be learned via WebAuth. I suggest going through the BYOD prescriptive deployment guide.

View solution in original post

You can do this using the My Devices portal.  The student would log on to this portal using their 802.1x credentials and register the devices in their dorm by MAC address. You can make this a known URL for students to use and, alternately, you could also place a link at the top or bottom of the BYOD Portal page as shown below:

 

MYDevicesLinkonBYOD.png

 

Follow this guide to set your portal(s) for customization and then use this code to create the button:

 

<a href="https://[[ENTER YOUR MY DEVICES URL HERE]]"><button type="submit">Register a device using My Devices</button></a>

 

To have this at the top of the page, use Optional Content 1.  For the bottom of the page, use Optional Content 2

View solution in original post

7 Replies 7

howon
Cisco Employee
Cisco Employee

It looks like you are using open SSID with BYOD portal. BYOD portal need to be tied with 802.1X SSID for it to learn the username. Alternatively you can use guest portal instead of BYOD portal if you want to use open SSID and simply enable 'Allow employees to use personal devices on the network' under BYOD settings. This allows username to be learned via WebAuth. I suggest going through the BYOD prescriptive deployment guide.

ok, so is it possible to use a single SSID that can onboard BYOD devices for students but also allow them to manage their other devices like apple tvs, xbox, playstation's & amazon echo's  by adding them to the my devices portal so they can connect to the same SSID?

Think of example students in their onsite rooms. They connect unknown device to SSID "ResNet" get redirected to the BYOD portal, register device, device gets added to "RegisterDevices" & they are allowed access but they may have other non-compliant devices that they need to connect to the same SSID. How would this work if the SSID has to be dot1x enabled?

You can do this using the My Devices portal.  The student would log on to this portal using their 802.1x credentials and register the devices in their dorm by MAC address. You can make this a known URL for students to use and, alternately, you could also place a link at the top or bottom of the BYOD Portal page as shown below:

 

MYDevicesLinkonBYOD.png

 

Follow this guide to set your portal(s) for customization and then use this code to create the button:

 

<a href="https://[[ENTER YOUR MY DEVICES URL HERE]]"><button type="submit">Register a device using My Devices</button></a>

 

To have this at the top of the page, use Optional Content 1.  For the bottom of the page, use Optional Content 2

Thanks, we do have the My Devices Portal setup & the end user can get to this & add devices. My question was would a non-compliant device still connect to the SSID if it can't do 802.1x?

 

We have tried registering Apple TVs via the portal but get the error "incorrect username or password" even when one has not been entered.

Apple Devices are not capable of doing 802.1x networks. You wouldn't have them connect to that SSID. You would either use an OPEN SSID or WPA2-PSK. Apple devices would go to a my devices portal and not a BYOD portal. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010000.html#concept_B810771CCECE4B23A294AA16BE7033AC
There is no way to send the apple device through the BYOD flow as its a dumb device with no browser to attach to it.
You will need more than 1 SSID. 1 more secure wireless (apple ios, mac, windows, android type of personal devices capable of 802.1x and with full browsers to be onboarded with EAP-TLS and supplicant based provisioning). You will need another SSID for devices not support 802.1x

Apple devices are not capable of doing 802.1x???

I'm assuming you mean Apple TV.

 

I thought that would be the case. Shame, really do not wont to put out another SSID just for a few PlayStations & the like. I think we are going to stick with the one & just have them go through a customised guest portal that only allows students to register & my devices portal for their other devices. We are not using supplicant based provisioning either. All we want is the user to register & then success, no certs or downloading profiles. It only means you end up supporting their devices when they go wrong.

Right I am talking about Apple TV not doing dot1x. If you are not doing dot1x then you don’t need another SSID. The user will need to register the device before they connect it otherwise the device will be in a hung network state with redirect happening but no way to remediate it. As stated before the only devices that can use the BYOD portal are ones with a browser that can register. This is mainly for personal devices (windows, apple ios/mac, android, google chrome) to onboard and go through some sort of provisioning and configuration. If you’re not even doing that then why send them through BYOD at all? For thos types of devices just use a simple guest portal using remember me (explained in the guest guide - https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
)

I would recommend you use my devices portal for dumb headless devices or quirky ones with funky browser that you don’t want to hit a guest portal (PS for example). You manually register them before connecting to the network and give simple authorization , if REgisteredDevice then permit internet (or whatever you like)