Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
1
Helpful
4
Replies

ISE Duel SSID Mobile user experiences

Go to solution
chocolate2395777
Level 1
Level 1

‎07-26-2023 07:36 AM

Hi All,

I have set up the ISE Dual SSID for workers to access the network, but the ISE seems not really like mobile users specially iPhone and iPad.

I have created two SSID. One is for Central Web Authentication(CWA) and the other one is for internal(Hidden SSID) which is redirect from CWA.

As we know we need to accept the certificate, enable the root CA, etc... keep changing Safari and setting to complete the BYOD onboarding task(because ISE CWA does not support Apple mini web browser). However, When you complete the BYOD onboarding process and go to the setting page manually change the SSID from CWA to internal SSID and the ISE said your device hasn't been registered.

Because iPhone, iPad, and Android by default enable "Private Wifi-Address" which keeps changing the MAC address when you connect to a different SSID. I need to re-do the BYOD onboarding process and disable the Private Wifi-Address.

May I know anyway can make it easy to complete the BYOD onboarding process for mobile users?

 ISE 3.1 patch 6 and 9800-CL 17.8.1 WLC

iPhone and iPad are the latest IOS version

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
RockstarWiFi
Level 1
Level 1

‎07-26-2023 08:32 AM

I am a bit confused by what you're saying, but let me take a shot. You are trying to configure BYOD, where you have an OPEN SSID that redirects to the ISE BYOD Portal, if employees log in, there supposed to get their supplicant provisioned for the "Corp or Internal" SSID? It sounds like you have some errors in your supplicant provisioning, as once the EAP Supplicant is provisioned for the right SSID and it's case sensitive, your supplicant will try to join that SSID with credentials pushed during supplicant provisioning meaning it shouldn't matter as much about the MAC Address, as you're using User/Pass or Certificate depending on the supplicant you configured. For one thing, DON'T HIDE SSIDs, there's ZERO POINT to doing it and many supplicants don't do well with hidden SSIDs to begin with. The best practice is to limit the number of SSIDs to 3 or 4, but all of them should be advertised in the beacon as public. There's no security purpose to a hidden SSID unless you are one of a small group that does the new OWE transition mode to a hidden SSID, but not going there for now. 

In short, check your supplicant config on ISE, and make sure you're deploying the right SSID, and right credentials to your devices. Try it with a Windows device first, and it's easier to verify everything, then move to Android / IOS, but I'd strongly recommend an external MDM handle mobile device provisioning like InTune, AirWatch, Jamf, etc. etc. as they can also "lock down the supplicant and disable insecure protocols like EAP-GTC, or weak ciphers. 

The ISE BYOD flow now requires access to the Android Store to download the NSP - Native Supplicant Provisioning client, with several key ports open on your ACL for the tool to work and also requires some URL / ACL redirection for both Android and IOS devices. 

With regard to the Apple mini-browser make sure your not using the captive portal feature on your WLC, as the controller proxies the mini-browser. 

Finally, let's say your "Hidden" SSID is called Corp, make sure your devices after provisioning are only trying to join Corp and not the BYOD / Guest flow again. Again this has become tricky in the game of browser wars, and also to ensure mobile device security strongly prefer 3rd party MDM for device provisioning. 

I posted some videos on this on Youtube, you can also check those out and maybe will help. Good luck. 

Go to solution
ahollifield
VIP
VIP

‎07-26-2023 11:06 AM

What is the use-case for BYOD in the first place?  Would a guest flow work here instead?

0 Helpful

Go to solution
chocolate2395777
Level 1
Level 1
In response to hslai

‎07-30-2023 09:29 PM

HI @hslai 

Thanks for the advice.
I still have some configuration issues with the ISE 3.1 BYOD Solution for MAC Randomized Endpoints.
After changing the Subject Alternative Name(SAN) from MAC address to MAC Address and GUID still MAC mismatches with the BYOD Registration DB due to the MAC being Randomized.

chocolate2395777_6-1690777610247.png

 

Should i remove BYODRegistration? if so, people can not manage their devices via MY Devices Portals

chocolate2395777_2-1690775490004.png

Also, I would like to create guest portals(backup plans) for people who enable MAC Randomized. However, I have no idea how to remove the Accept and Decline buttons.
I did add the script inside the AUP text and clicked the Toggle HTML Source

chocolate2395777_4-1690777014504.png

The button still appears on the page.

chocolate2395777_5-1690777048672.png

Thanks

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents