Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
891
Views
5
Helpful
5
Replies

ISE v1.1.2 onboarding without device registration?

fashour
Level 1
Level 1

‎01-04-2013 10:01 AM - edited ‎03-10-2019 07:56 PM

Hello experts,

Is it possible for one to configure onboarding without having to register the device within the supplicant provisioning work flow? If so, how can it be accomplished?

Any input is appreciated.

Fadi Ashour

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎01-04-2013 02:08 PM

Please give me an example of that you are looking for.

One example that comes to mind is using the my devices portal to register the endpoint and manually setting the endpoint to use peap, if the device already has a cert then configuring ise to accept the certs the client presents if using eap tls.

If you don't want to use authentication at all you can still use the my devices portal with mac filtering, then set the endpoint group in you authorization policy.


Sent from Cisco Technical Support Android App

0 Helpful

fashour
Level 1
Level 1
In response to Tarik Admani

‎01-04-2013 02:26 PM

Tarik,

Scenario:

I want to be able to provision byod devices (example: iphone, ipad, linux workstations) with supplicant provisioning (EAP-TLS with secure SSID) and be able to authorize the devices based on their device type identity group rather than the registereddevices indentity group. What I see from my testing, the devices go through registration prior to supplicant provsioning. Is there a way to skip the registration so the device stays in the identity group of its device type? I know can do set a condition for session with OS types but this is very limiting.

Thank you,

Fadi

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎01-04-2013 06:10 PM

This is not supported as of the current release because the endpoints are statically assigned to the registered devices identity group no matter which os the endpoint is.

Please reach out to your cisco rep because my unofficial response os that this will be in the 1.2 code, however, please run this by a cisco contact for an official answer.


Sent from Cisco Technical Support Android App

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Tarik Admani

‎01-05-2013 12:34 PM

I don't understand. Profiling with guest portal can classify the devices into device type groups even if device registration is not used, can't it?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Peter Koltl

‎01-05-2013 01:20 PM

You are correct if you choose to use only the dynamic profiling policies. However, when you use supplicant provisioning the device then gets statically assigned the registereddevices endpoint identity group. Future release should set an attribute for the endpoint (this is my assumption) while maintaining the dynamic profiling based on the endpoint OS.

Here is a note in the release notes that make mention that these devices are registered in the registereddevices endpoint identity group:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mydevices.html#wp1070044

Thanks,

Sent from Cisco Technical Support iPad App

Customers Also Viewed These Support Documents