09-13-2016 11:41 AM
Hi Experts,
My customer has the following question regarding their Mac users CWA process:
Currently the Mac OS user are getting redirected to CWA page when the first time get on network because no supplicant and no certificate.
Management doesn't want that to happen. Instead, they want to give user a separate URL where users can download the certificate and configuration profile there through ISE.
So, the certificate and profile can be downloaded when the user is ready instead user being forced to do so.
Thanks in advance
Nadeem
Solved! Go to Solution.
09-16-2016 12:58 PM
Lots of good proposals here. Oddly sounds like customer wants to make process more complex than easier for their users where they separately download certs and profiles for manual application. If the user does not want to be provisioned, then why go to a provisioning WLAN in first place? Single SSID is also option where they log in using AD credentials and get provisioned with cert and EAP-TLS. AUP could be worded to read "Do you agree to get provisioned at this time?" If not accepted, then they do not proceed.
09-14-2016 09:32 AM
Any reason not using ISE BYOD flow??
09-14-2016 12:53 PM
These Macbook’s are corporate assets and the existing flow is what they have configured. Would a BYOD flow provide them the solution that they are looking for and would that be ok to use for corp assets?
How about the requirement for them to go to a kind of a remediation portal where they would like the users to go on and download certs and the profile.
Thanks
Nadeem
Nadeem Khan CISSP, CRISC
Network Consulting Engineer
Cisco Services
Cisco Security Solutions - Integration
nadeekha@cisco.com
Mobile: +1 416 8199934
Cisco.com - http://www.cisco.com
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
09-14-2016 01:34 PM
I’ve been looking into this a little bit and I don’t think what you want to do is possible natively. One option may be to host a website that leverages the ISE API on the backend allowing a user to enter their MAC address when they are ready to be provisioned and move that endpoint into an identity group that will follow the provisioning flow. Here’s a resource which may be helpful: https://communities.cisco.com/docs/DOC-66297#jive_content_id_Update_Endpoint__Statically_Assign_to_an_Identity_Group
George
09-16-2016 12:36 PM
What is the customer's process in provisioning a MAC with an endpoint certificate?
ISE BYOD is designed for personal devices mainly but not restricted to them, so it could be used for provisioning corp devices. Anyhow that is merely a suggestion and it really gets down to what's available and what's acceptable.
09-16-2016 12:58 PM
Lots of good proposals here. Oddly sounds like customer wants to make process more complex than easier for their users where they separately download certs and profiles for manual application. If the user does not want to be provisioned, then why go to a provisioning WLAN in first place? Single SSID is also option where they log in using AD credentials and get provisioned with cert and EAP-TLS. AUP could be worded to read "Do you agree to get provisioned at this time?" If not accepted, then they do not proceed.
09-16-2016 01:02 PM
Thanks for all the proposals!
I will take all these suggestions back to the customer and see what they want to do.
Nadeem Khan CISSP, CRISC
Network Consulting Engineer
Cisco Services
Cisco Security Solutions - Integration
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide