Showing results for 
Search instead for 
Did you mean: 

Why ISE redirection to registration is needed when off-premises MDM enrolled (Intune) device is on boarding?

Nate Zhang
Cisco Employee
Cisco Employee

Hello, Experts,


A customer uses Microsoft Intune as MDM solution which integrates with ISE. They are going to enroll mobile devices,  laptops off-premises and connects to the enterprise network via EAP-TLS with profiled BYOD certificate.


We are not going to enable ISE BYOD Wireless On-boarding (EAP-MSCHAP login then redirect to provisioning to EAP-TLS) since we also have to allow users to login from EAP-MSCHAP for phase 1 migration.


One thing observed from ISE admin guide: You must register a device that is enrolled on the MDM server outside of a Cisco ISE network via the MDM portal. This is applicable for Cisco ISE, Release 1.4 and later. Earlier ISE versions allow devices enrolled outside of a Cisco ISE network to be automatically enrolled if they are compliant with the posture policies.



Is it meaning that ISE BYOD registration is mandatory for the devices enrolled off-premises?

Could you help to elaborate the flow that an off-premises enrolled mobile device connects internal SSID via EAP-TLS for the 1st time? (Or any configuration illustration of AuthZ policy)

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers