cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE BYOD Onboarding Single vs Dual SSID

2934
Views
9
Helpful
0
Comments
Cisco Employee

My quick analysis on why you would want to use Dual or Single SSID for ISE BYOD Device Onboarding (Native Supplicant and Certificate Provisioning)

DUAL SSID

Using employee creds, Employee can go directly through onboarding using CWA portal

Or another option for internet access only:

Using employee creds, Employee can get internet access via CWA portal and can be directed to onboard with single ssid

Pros

  • Ise 2.2 apple mini browser works in this flow
  • Can provide visible guidance to the user on the BYOD process before logging in
  • Easier to connect to OPEN SSID then PEAP SSID on windows OS especially since setting up supplicant is sometimes an issue. Anyone can connect to OPEN SSID and open a page to login

Cons

  • Apple Devices require users to switch network manually
  • Requires Fast-SSID switching

SINGLE SSID

Pros

  • User experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user intervention
  • This is a unique capability of ISE where competitors like Aruba forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portal
  • Fast-SSID switching does not need to be enabled
  • Abililty to differentiate access in stages
    • User connects to peap and gets secured access for internet and basic connectivity to employee portals webmail, not required to onboard. Attempts access to internal resources and is asked to onboard for more security and better management of their devices using my devices portal

Cons

  • User has to manually launch browser (apple mini browser not suppotted in flow)
  • Some Windows desktop OS may have difficulty connecting to PEAP network without modifying some of the settings on the supplicant.