07-11-2016 12:13 AM
hi,
Our customer wants to split their BYOD flow for wired in the following:
From what I could find out, the device registration is enabled on the guest portal for all BYOD users - not based on any authorization such as AD groups.
As such I assume it will be all BYOD users doing device regstration or all users doing posture validation - no combinations.
Can you confirm this is correct?
Secondly, if we validate for posture using the web agent, is there any way to avoid having to redo on every new connection?
Many thanks
Gert
Solved! Go to Solution.
07-11-2016 07:22 AM
Setup a web portal with the on boarding piece enabled.
After login a COA will take place
If ADGROUP1 then redirect to NSP (BYOD registration)
If ADGROUP2 then redirect to CPP (Posture) are you going to use web agent posture or any connect?
07-11-2016 07:09 AM
Gert, regarding first Q. You can achieve it but will need to use single-SSID flow instead. For the second Q, posture lease feature is what you are looking for, but it is only available on AnyConnect Agent.
07-11-2016 07:14 AM
Hi,
Thanks for the reply.
We are doing this on wired, not wireless.
Also, just to be clear: the user gets the web portal and provides credentials. If the user is member of a specific AD group, he should do device registration. If he is not, he should be validated for posture.
How can this be configured?
As both users are on AD, they will both hit the device registration or guest compliancy check (which both are configured on the guest portal).
I didn’t find a way to allow authorization for BYOD users.
Would be very interested to see how to configure this.
Many thanks
Gert
Gert Tilburgs - CCIE R&S 21187
Network Consulting Engineer
Cisco Security Services
Phone: +3227046188 - Email: gtilburg@cisco.com
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
07-11-2016 07:22 AM
Setup a web portal with the on boarding piece enabled.
After login a COA will take place
If ADGROUP1 then redirect to NSP (BYOD registration)
If ADGROUP2 then redirect to CPP (Posture) are you going to use web agent posture or any connect?
07-11-2016 07:31 AM
Thanks Jason.
The customer does not want to install anything on the byod PC, so would go for the web agent. I am not a fan, but given the requirements, this seems the only option. They will check any AV.
Concerns?
07-11-2016 07:36 AM
You can do BYOD device registration only for ADGROUP1 (don't configure a supplicant or cert profile for that group)
then for ADGROUP2 redirect to CPP with web agent (windows only of course!)
I don't see anything as a problem.
Please do reach out direct if you need to discuss
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide