ok, so is it possible to use a single SSID that can onboard BYOD devices for students but also allow them to manage their other devices like apple tvs, xbox, playstation's & amazon echo's  by adding them to the my devices portal so they can connect to the same SSID?

Think of example students in their onsite rooms. They connect unknown device to SSID "ResNet" get redirected to the BYOD portal, register device, device gets added to "RegisterDevices" & they are allowed access but they may have other non-compliant devices that they need to connect to the same SSID. How would this work if the SSID has to be dot1x enabled?

Thanks, we do have the My Devices Portal setup & the end user can get to this & add devices. My question was would a non-compliant device still connect to the SSID if it can't do 802.1x?

 

We have tried registering Apple TVs via the portal but get the error "incorrect username or password" even when one has not been entered.

Apple Devices are not capable of doing 802.1x networks. You wouldn't have them connect to that SSID. You would either use an OPEN SSID or WPA2-PSK. Apple devices would go to a my devices portal and not a BYOD portal. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_010000.html#concept_B810771CCECE4B23A294AA16BE7033AC
There is no way to send the apple device through the BYOD flow as its a dumb device with no browser to attach to it.
You will need more than 1 SSID. 1 more secure wireless (apple ios, mac, windows, android type of personal devices capable of 802.1x and with full browsers to be onboarded with EAP-TLS and supplicant based provisioning). You will need another SSID for devices not support 802.1x

Apple devices are not capable of doing 802.1x???

I'm assuming you mean Apple TV.

 

I thought that would be the case. Shame, really do not wont to put out another SSID just for a few PlayStations & the like. I think we are going to stick with the one & just have them go through a customised guest portal that only allows students to register & my devices portal for their other devices. We are not using supplicant based provisioning either. All we want is the user to register & then success, no certs or downloading profiles. It only means you end up supporting their devices when they go wrong.

Right I am talking about Apple TV not doing dot1x. If you are not doing dot1x then you don’t need another SSID. The user will need to register the device before they connect it otherwise the device will be in a hung network state with redirect happening but no way to remediate it. As stated before the only devices that can use the BYOD portal are ones with a browser that can register. This is mainly for personal devices (windows, apple ios/mac, android, google chrome) to onboard and go through some sort of provisioning and configuration. If you’re not even doing that then why send them through BYOD at all? For thos types of devices just use a simple guest portal using remember me (explained in the guest guide - https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
)

I would recommend you use my devices portal for dumb headless devices or quirky ones with funky browser that you don’t want to hit a guest portal (PS for example). You manually register them before connecting to the network and give simple authorization , if REgisteredDevice then permit internet (or whatever you like)