Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE dual SSID BYOD with Apple CNA

Is it possible to use the BYOD Apple Mini Browser flow with dual SSID BYOD differentiated portal set up documented by Hosuk Won in the (great) prescriptive deployment guide here:
If i set the Mini Browser flow condition in an AuthZ rule for the 2nd round of AuthZ after initial CWA portal login it doesn’t carry though to the BYOD portal:
Sessions > BYOD-Apple-MiniBrowser-Flow, Equals Yes
If i set the condition on the initial CWA portal with BYOD for Employee Devices enabled, it works fine.
Reason i’m asking is I’m trying to lock down the pre-auth first CWA portal session to a specific set of ports/IPs, then apply the different respective ACL to Android and iOS clients for onboarding once users log in.
Is this possible or am I approaching this wrong?

Accepted Solutions
Cisco Employee

Cisco Employee


Hi Hosuk, I have reviewed the doc yes - it’s been very helpful to help me understand how the flows should work, but....

When using differentiated BYOD portals and the “Allow employees to use personal devices on the network” disabled on the Initial CWA Guest Portal, no CoA is sent after guest login (i just see successful Authentication), thus breaking the flow (no second round of AuthZ). Is this expected behaviour? have i misunderstood?

The only way I can achieve the desired outcome is by:

- creating multiple CWA portals (BYOD device reg disabled on one / enabled on other)
- match condition for Endpoint Policy for Apple devices for one portal to send to portal with BYOD device reg enabled and appropriate ACL.
(bit of a pain having to manage multiple portals for the same thing)

Am i missing something?
(not sure this is solved just yet?? ;-) )


please explain the exact flow in more detail, show your associated authorization policies

Hi Jason, thanks for chipping in! sorry for delay.... I've tried to explain the exact flow below if it helps further...

Essentially, we apply a restrictive ACL to clients when they connect to an open SSID and are redirected to a Self Reg Guest Portal permitting only DNS, DHCP and ISE portal access.
I want to update the WLC ACL applied to the users session after they have logged into the said Self Reg Guest Portal, based on whether the device is iOS or Android.
The user is then redirected to a BYOD portal to complete the device registration. I need to send different user groups to different BYOD portals regardless of the device.

I've built almost exactly what is shown in the "Appendix - Dual-SSID flow with differentiated portal" in the guide, but...
I'm trying to capture devices in the Apple CNA mini-browser flow to apply a new Authorization Profile with a different Apple specific ACL. The new ACL is for on-boarding when they hit the BYOD Portal as per the Apple CNA handling in the guide. (also trying a similar approach for Android with specific WLC DNS ACL, but based on Android device policy in Authorisation Rule and Android WLC ACL in Authorisation Profile).

From my testing, I've deduced this:
- CoA is NOT sent from ISE to WLC when user logs into Self Registered Guest Portal AND "Allow employees to use personal devices on the network" is DISABLED on that portal, so the WLC session ACL is not updated when user is redirected to BYOD portal after log in (device is stuck with the restrictive "pre-user login" ACL applied to session).
- CoA IS sent from ISE to WLC when user logs into Self Registered Guest Portal AND "Allow employees to use personal devices on the network" is ENABLED on that portal, so the WLC session ACL is updated as needed.

Is this expected behaviour? (We're running ISE 2.4 Patch 8)

I'll try to provide some screen shots if it's not clear, but may take me some time [security etc!]

Have you thought about not tying BYOD to the guest portal at all?

Just configure guest portal without BYOD requirement

ACL for 2nd redirect will allow internet but deny internal sites (this allows apple ios to not pop mini browser and Android access to internet for playstore)

Setup 2 different BYOD portals

Setup Authorization profiles for PortalA and PortalB redirect

If guest flow and ADgroupB redirect to portal B
If guest flow and ADgroupA redirect to portal A
If MAB unknown endpoint redirect to guest portal
check under Appendix
Dual-SSID flow with differentiated portal