01-04-2013 10:01 AM - edited 03-10-2019 07:56 PM
Hello experts,
Is it possible for one to configure onboarding without having to register the device within the supplicant provisioning work flow? If so, how can it be accomplished?
Any input is appreciated.
Fadi Ashour
01-04-2013 02:08 PM
Please give me an example of that you are looking for.
One example that comes to mind is using the my devices portal to register the endpoint and manually setting the endpoint to use peap, if the device already has a cert then configuring ise to accept the certs the client presents if using eap tls.
If you don't want to use authentication at all you can still use the my devices portal with mac filtering, then set the endpoint group in you authorization policy.
Sent from Cisco Technical Support Android App
01-04-2013 02:26 PM
Tarik,
Scenario:
I want to be able to provision byod devices (example: iphone, ipad, linux workstations) with supplicant provisioning (EAP-TLS with secure SSID) and be able to authorize the devices based on their device type identity group rather than the registereddevices indentity group. What I see from my testing, the devices go through registration prior to supplicant provsioning. Is there a way to skip the registration so the device stays in the identity group of its device type? I know can do set a condition for session with OS types but this is very limiting.
Thank you,
Fadi
01-04-2013 06:10 PM
This is not supported as of the current release because the endpoints are statically assigned to the registered devices identity group no matter which os the endpoint is.
Please reach out to your cisco rep because my unofficial response os that this will be in the 1.2 code, however, please run this by a cisco contact for an official answer.
Sent from Cisco Technical Support Android App
01-05-2013 12:34 PM
I don't understand. Profiling with guest portal can classify the devices into device type groups even if device registration is not used, can't it?
01-05-2013 01:20 PM
You are correct if you choose to use only the dynamic profiling policies. However, when you use supplicant provisioning the device then gets statically assigned the registereddevices endpoint identity group. Future release should set an attribute for the endpoint (this is my assumption) while maintaining the dynamic profiling based on the endpoint OS.
Here is a note in the release notes that make mention that these devices are registered in the registereddevices endpoint identity group:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mydevices.html#wp1070044
Thanks,
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide