Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
5
Replies

Registering BYOD device on wireless then connecting to wired

Go to solution
Madura Malwatte
Level 4
Level 4

‎06-10-2019 08:31 PM - edited ‎06-10-2019 08:34 PM

ISE 2.3 patch 5

I have byod wireless working well for mac and windows machines. However I need to be able to connect these byod registered devices to wired dot1x port after they have been registered. However this does not work, because when the device is registered via wireless, its only the wireless mac address that gets added as byod registered and also into the registered device group. When it is connected to wired dot1x port, ISE has no idea about the ethernet adapter mac address and doesn't know it already been registered for byod.

I am trying to avoid having users go through the byod process a second time just for the wired adapter. Is there a better way to let ISE know that once the device is connected to a wired port to check whether it has already been registered via wireless?

The only thing I can think of is to go to mydevices portal, add the ethernet adapter mac address and then also manually add the mac to byod registered device group which we are using as a condition in client provisioning policy.

How is everyone else doing it? I want to be able to register byod devices once via wireless, then be able to use these registered devices on both wireless and wired.

0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-11-2019 12:28 AM

Hi

Usually we need users to enroll once in wireless and once on wired.
Adding the mac address manually means users have to check their mac addresses and add it to mydevice portal which isn't the greatest solution.

These are BYOD devices which means you aren't controlling them in any ways to apply some scripts or whatever. The only proper solution would be to get them onboarded a second time over the wired infrastructure.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-11-2019 12:37 AM

This topic has come up and in being researched internally

 

https://community.cisco.com/t5/identity-services-engine-ise/onboard-endpoint-using-api-to-then-manage-via-mydevice-portal/td-p/3825148

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ldanny

‎06-11-2019 09:35 AM

I am testing this with 2.4 and seeing that the MAC address on windows machine is populated for the wired NIC (built-in) as well. 2.4 is our current recommended long term release.https://community.cisco.com/t5/security-blogs/announcing-the-quot-suggested-release-quot-status-of-ise-2-4/ba-p/3775587

If this is for a NIC not yet connected (in a docking station) then it would be advisable to have the user connect to wired/wireless when onboarding. Otherwise we have no visibility into those mac addresses.
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎06-11-2019 10:30 PM

Hi Jason, do you know if this is the same behaviour for 2.3? I will test on 2.3 with the wired port connected and enabled to see if it picks up both wireless and wired mac. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎06-12-2019 03:28 AM

I don’t know when it changed . I am seeing on 2.4. Unfortunately I don’t work with the older releases
0 Helpful
Customers Also Viewed These Support Documents