Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
1
Helpful
2
Replies

Finding attributes in ISE: BYODRegistration

Go to solution
dgaikwad
Level 5
Level 5

‎01-30-2019 11:08 PM - last edited on ‎03-09-2022 10:55 PM by Community Manager

Hi Experts,
Recently I have been testing out configuring BYOD flow.
There is this attribute, BYODRegistration, that I am using to allow the user in the network.

But the other part if that, even if I delete the endpoint from the registered device endpoint, group the user gets access to the network.

I am suspecting that its happening because I am using this BYODRegistration attribute in the authorization policy.

As, when I set BYODRegistration to No, the user was not able to acquire network access.

 

Any pointers?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-31-2019 02:24 AM

Hi @dgaikwad

 

That's an interesting observation.  Here's the deal.  If you're only checking for BYODRegistration in your AuthZ rules, then the client will always authenticate, as long as the certificate is valid (I am assuming this is cert based BYOD ... )

In most implementations you should provide a MyDevicesPortal for the BYOD users so that they can manage their endpoints.  If they report a device "Lost" then the Endpoint is removed from Registered Endpoints and your AuthZ rules should check for that and redirect the user to a web page telling them the device is reported Lost.  When user finds device again, he can re-instate the device in the MyDevicesPortal and then he is back in business.

  If they report the device as stolen, then the Endpoint is also deleted, but you cannot re-instate it on the Portal.  That means that this device needs to onboard again.  In that case the AuthZ rule should also catch this.

Blacklisting is another case - if Endpoints are blacklisted then the appropriate AuthZ rule should redirect them to a web page telling them they have been barred.

What I am trying to illustrate is that the existence of the Endpoint in various Endpoint Identity Groups is a far more useful indicator of the current status of the client.  The BYODRegistration is an OVERALL status indicator that simply tells ISE that this client went through BYOD onboarding once upon a time.  it's a special attribute for BYOD status.

 

I would recommend watching the BYOD series of videos from www.labminutes.com - that guy explains all this very well with nice examples too.  

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎01-31-2019 02:24 AM

Hi @dgaikwad

 

That's an interesting observation.  Here's the deal.  If you're only checking for BYODRegistration in your AuthZ rules, then the client will always authenticate, as long as the certificate is valid (I am assuming this is cert based BYOD ... )

In most implementations you should provide a MyDevicesPortal for the BYOD users so that they can manage their endpoints.  If they report a device "Lost" then the Endpoint is removed from Registered Endpoints and your AuthZ rules should check for that and redirect the user to a web page telling them the device is reported Lost.  When user finds device again, he can re-instate the device in the MyDevicesPortal and then he is back in business.

  If they report the device as stolen, then the Endpoint is also deleted, but you cannot re-instate it on the Portal.  That means that this device needs to onboard again.  In that case the AuthZ rule should also catch this.

Blacklisting is another case - if Endpoints are blacklisted then the appropriate AuthZ rule should redirect them to a web page telling them they have been barred.

What I am trying to illustrate is that the existence of the Endpoint in various Endpoint Identity Groups is a far more useful indicator of the current status of the client.  The BYODRegistration is an OVERALL status indicator that simply tells ISE that this client went through BYOD onboarding once upon a time.  it's a special attribute for BYOD status.

 

I would recommend watching the BYOD series of videos from www.labminutes.com - that guy explains all this very well with nice examples too.  

Go to solution
dgaikwad
Level 5
Level 5
In response to Arne Bier

‎01-31-2019 09:27 PM

Thank you for this insight, as I have been struggling with this for a quite a while.
I will check out the labminutes for sure.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents