My quick analysis on why you would want to use Dual or Single SSID for ISE BYOD Device Onboarding (Native Supplicant and Certificate Provisioning)
DUAL SSID
Using employee creds, Employee can go directly through onboarding using CWA portal
Or another option for internet access only:
Using employee creds, Employee can get internet access via CWA portal and can be directed to onboard with single ssid
Pros
- Ise 2.2 apple mini browser works in this flow
- Can provide visible guidance to the user on the BYOD process before logging in
- Easier to connect to OPEN SSID then PEAP SSID on windows OS especially since setting up supplicant is sometimes an issue. Anyone can connect to OPEN SSID and open a page to login
Cons
- Apple Devices require users to switch network manually
- Requires Fast-SSID switching
SINGLE SSID
Pros
- User experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user intervention
- This is a unique capability of ISE where competitors like Aruba forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portal
- Fast-SSID switching does not need to be enabled
- Abililty to differentiate access in stages
- User connects to peap and gets secured access for internet and basic connectivity to employee portals webmail, not required to onboard. Attempts access to internal resources and is asked to onboard for more security and better management of their devices using my devices portal
Cons
- User has to manually launch browser (apple mini browser not suppotted in flow)
- Some Windows desktop OS may have difficulty connecting to PEAP network without modifying some of the settings on the supplicant.
