cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
201
Views
0
Helpful
2
Replies
Contributor

Finding attributes in ISE: BYODRegistration

Hi Experts,
Recently I have been testing out configuring BYOD flow.
There is this attribute, BYODRegistration, that I am using to allow the user in the network.

But the other part if that, even if I delete the endpoint from the registered device endpoint, group the user gets access to the network.

I am suspecting that its happening because I am using this BYODRegistration attribute in the authorization policy.

As, when I set BYODRegistration to No, the user was not able to acquire network access.

 

Any pointers?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Finding attributes in ISE: BYODRegistration

Hi @dgaikwad

 

That's an interesting observation.  Here's the deal.  If you're only checking for BYODRegistration in your AuthZ rules, then the client will always authenticate, as long as the certificate is valid (I am assuming this is cert based BYOD ... )

In most implementations you should provide a MyDevicesPortal for the BYOD users so that they can manage their endpoints.  If they report a device "Lost" then the Endpoint is removed from Registered Endpoints and your AuthZ rules should check for that and redirect the user to a web page telling them the device is reported Lost.  When user finds device again, he can re-instate the device in the MyDevicesPortal and then he is back in business.

  If they report the device as stolen, then the Endpoint is also deleted, but you cannot re-instate it on the Portal.  That means that this device needs to onboard again.  In that case the AuthZ rule should also catch this.

Blacklisting is another case - if Endpoints are blacklisted then the appropriate AuthZ rule should redirect them to a web page telling them they have been barred.

What I am trying to illustrate is that the existence of the Endpoint in various Endpoint Identity Groups is a far more useful indicator of the current status of the client.  The BYODRegistration is an OVERALL status indicator that simply tells ISE that this client went through BYOD onboarding once upon a time.  it's a special attribute for BYOD status.

 

I would recommend watching the BYOD series of videos from www.labminutes.com - that guy explains all this very well with nice examples too.  

2 REPLIES 2
VIP Engager

Re: Finding attributes in ISE: BYODRegistration

Hi @dgaikwad

 

That's an interesting observation.  Here's the deal.  If you're only checking for BYODRegistration in your AuthZ rules, then the client will always authenticate, as long as the certificate is valid (I am assuming this is cert based BYOD ... )

In most implementations you should provide a MyDevicesPortal for the BYOD users so that they can manage their endpoints.  If they report a device "Lost" then the Endpoint is removed from Registered Endpoints and your AuthZ rules should check for that and redirect the user to a web page telling them the device is reported Lost.  When user finds device again, he can re-instate the device in the MyDevicesPortal and then he is back in business.

  If they report the device as stolen, then the Endpoint is also deleted, but you cannot re-instate it on the Portal.  That means that this device needs to onboard again.  In that case the AuthZ rule should also catch this.

Blacklisting is another case - if Endpoints are blacklisted then the appropriate AuthZ rule should redirect them to a web page telling them they have been barred.

What I am trying to illustrate is that the existence of the Endpoint in various Endpoint Identity Groups is a far more useful indicator of the current status of the client.  The BYODRegistration is an OVERALL status indicator that simply tells ISE that this client went through BYOD onboarding once upon a time.  it's a special attribute for BYOD status.

 

I would recommend watching the BYOD series of videos from www.labminutes.com - that guy explains all this very well with nice examples too.  

Highlighted
Contributor

Re: Finding attributes in ISE: BYODRegistration

Thank you for this insight, as I have been struggling with this for a quite a while.
I will check out the labminutes for sure.

Everyone's tags (2)