Solved: Need help on BYOD user certificate expiry portal

pcno · ‎02-06-2020

Hi,

I want the following requirements can anybody tell me how it is possible with ISE 2.6 or 2.4. (Wireless)

* After user get the certificate via BYOD process and after 1-2 Years the certificate is about to expire I want the user to be notified that your certificate is about to expire.

* Right before 10 days of expiry I want the user to be forced to reissue the certificate.

Can anyone share me policy set and additional configuration for this Is it possible with ISE?
Please reply.

Greg Gibbs · ‎02-06-2020

ISE does not have the ability to pop-up a banner for the client without using a portal redirect flow. If you were to use a portal redirect, the user would be subject to the limited access provided by the redirect ACL. You can redirect to a custom portal page (hosted on ISE) or one hosted on an external server but, if the redirect is not part of an established and supported portal flow (Guest, BYOD, Posture, etc) it would essentially become a dead-end session and ISE would not be able to issue a CoA to change the AuthZ state. The user would have to disconnect/reconnect for ISE to have control of the session again and you would likely run into the same issue in a loop.

View solution in original post

Greg Gibbs · ‎02-06-2020

You can use the CERTIFICATE:Days to Expiry matching condition in your AuthZ Policy to redirect the user back through registration flow to enrol a new certificate. I would suggest, however, using a time range greater than 10 days (more like 30) to mitigate issues with BYOD users being away from the office on holiday or other reasons.

Example:

Cheers,

Greg

pcno · ‎02-06-2020

This is what I come up with attached policy (365 is put there to hit the policy forcefully for testing :).
User will be authenticated with peap then TLS will be used and granted permit access but if the certificate is about to expire then it will redirect to a central authentication guest portal and force user to renew the certificate.

But is there a way to put a banner page alone without authentication?

Like user certificate is going to expire in 30 days user should start seeing a message" your certificate needs to be renewed" but the user will still be able to use the internet.

After 15 days a user must be forced to renew which is already happening with my current policy but I need a way to add a warning saying your certificate is about to expire.

Greg Gibbs · ‎02-06-2020

ISE does not have the ability to pop-up a banner for the client without using a portal redirect flow. If you were to use a portal redirect, the user would be subject to the limited access provided by the redirect ACL. You can redirect to a custom portal page (hosted on ISE) or one hosted on an external server but, if the redirect is not part of an established and supported portal flow (Guest, BYOD, Posture, etc) it would essentially become a dead-end session and ISE would not be able to issue a CoA to change the AuthZ state. The user would have to disconnect/reconnect for ISE to have control of the session again and you would likely run into the same issue in a loop.

pcno · ‎02-10-2020

That is where I am stuck on because it is a Dead end cannot give permit access to the user.
Thanks for confirming it is not possible.
Have a nice Day.