Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

Why ISE redirection to registration is needed when off-premises MDM enrolled (Intune) device is on boarding?

Hello, Experts,


A customer uses Microsoft Intune as MDM solution which integrates with ISE. They are going to enroll mobile devices,  laptops off-premises and connects to the enterprise network via EAP-TLS with profiled BYOD certificate.


We are not going to enable ISE BYOD Wireless On-boarding (EAP-MSCHAP login then redirect to provisioning to EAP-TLS) since we also have to allow users to login from EAP-MSCHAP for phase 1 migration.


One thing observed from ISE admin guide: You must register a device that is enrolled on the MDM server outside of a Cisco ISE network via the MDM portal. This is applicable for Cisco ISE, Release 1.4 and later. Earlier ISE versions allow devices enrolled outside of a Cisco ISE network to be automatically enrolled if they are compliant with the posture policies.



Is it meaning that ISE BYOD registration is mandatory for the devices enrolled off-premises?

Could you help to elaborate the flow that an off-premises enrolled mobile device connects internal SSID via EAP-TLS for the 1st time? (Or any configuration illustration of AuthZ policy)

Everyone's tags (2)