Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
0
Helpful
0
Replies

Why ISE redirection to registration is needed when off-premises MDM enrolled (Intune) device is on boarding?

Nate Zhang
Cisco Employee
Cisco Employee

‎02-22-2019 09:41 PM

Hello, Experts,

 

A customer uses Microsoft Intune as MDM solution which integrates with ISE. They are going to enroll mobile devices,  laptops off-premises and connects to the enterprise network via EAP-TLS with profiled BYOD certificate.

 

We are not going to enable ISE BYOD Wireless On-boarding (EAP-MSCHAP login then redirect to provisioning to EAP-TLS) since we also have to allow users to login from EAP-MSCHAP for phase 1 migration.

 

One thing observed from ISE admin guide: You must register a device that is enrolled on the MDM server outside of a Cisco ISE network via the MDM portal. This is applicable for Cisco ISE, Release 1.4 and later. Earlier ISE versions allow devices enrolled outside of a Cisco ISE network to be automatically enrolled if they are compliant with the posture policies.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#ID434

 

 

Is it meaning that ISE BYOD registration is mandatory for the devices enrolled off-premises?

Could you help to elaborate the flow that an off-premises enrolled mobile device connects internal SSID via EAP-TLS for the 1st time? (Or any configuration illustration of AuthZ policy)

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents