Hi Hosuk, I have reviewed the doc yes - it’s been very helpful to help me understand how the flows should work, but....

When using differentiated BYOD portals and the “Allow employees to use personal devices on the network” disabled on the Initial CWA Guest Portal, no CoA is sent after guest login (i just see successful Authentication), thus breaking the flow (no second round of AuthZ). Is this expected behaviour? have i misunderstood?

The only way I can achieve the desired outcome is by:

- creating multiple CWA portals (BYOD device reg disabled on one / enabled on other)
- match condition for Endpoint Policy for Apple devices for one portal to send to portal with BYOD device reg enabled and appropriate ACL.
(bit of a pain having to manage multiple portals for the same thing)

Am i missing something?
(not sure this is solved just yet?? ;-) )

thanks

please explain the exact flow in more detail, show your associated authorization policies

Hi Jason, thanks for chipping in! sorry for delay.... I've tried to explain the exact flow below if it helps further...

Essentially, we apply a restrictive ACL to clients when they connect to an open SSID and are redirected to a Self Reg Guest Portal permitting only DNS, DHCP and ISE portal access.
I want to update the WLC ACL applied to the users session after they have logged into the said Self Reg Guest Portal, based on whether the device is iOS or Android.
The user is then redirected to a BYOD portal to complete the device registration. I need to send different user groups to different BYOD portals regardless of the device.

I've built almost exactly what is shown in the "Appendix - Dual-SSID flow with differentiated portal" in the guide, but...
I'm trying to capture devices in the Apple CNA mini-browser flow to apply a new Authorization Profile with a different Apple specific ACL. The new ACL is for on-boarding when they hit the BYOD Portal as per the Apple CNA handling in the guide. (also trying a similar approach for Android with specific WLC DNS ACL, but based on Android device policy in Authorisation Rule and Android WLC ACL in Authorisation Profile).

From my testing, I've deduced this:
- CoA is NOT sent from ISE to WLC when user logs into Self Registered Guest Portal AND "Allow employees to use personal devices on the network" is DISABLED on that portal, so the WLC session ACL is not updated when user is redirected to BYOD portal after log in (device is stuck with the restrictive "pre-user login" ACL applied to session).
- CoA IS sent from ISE to WLC when user logs into Self Registered Guest Portal AND "Allow employees to use personal devices on the network" is ENABLED on that portal, so the WLC session ACL is updated as needed.

Is this expected behaviour? (We're running ISE 2.4 Patch 8)

I'll try to provide some screen shots if it's not clear, but may take me some time [security etc!]

Have you thought about not tying BYOD to the guest portal at all?

Just configure guest portal without BYOD requirement

ACL for 2nd redirect will allow internet but deny internal sites (this allows apple ios to not pop mini browser and Android access to internet for playstore)

Setup 2 different BYOD portals

Setup Authorization profiles for PortalA and PortalB redirect

If guest flow and ADgroupB redirect to portal B
If guest flow and ADgroupA redirect to portal A
If MAB unknown endpoint redirect to guest portal


https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId--499854612
check under Appendix
Dual-SSID flow with differentiated portal