I was just recently asked how to do ISE BYOD (Bring Your Own Device) without the need for Native Supplicant and/or Certificate Provisioning.
This request was for a healthcare customer that wanted their staff to register their personal devices and to also limit how many of these devices can be registered for access to the network. This also give their users the ability to manage their devices via the My Devices Portal by adding in lightweight devices (such as kindles with a limited browser). They can also delete a device if they no longer are using it or blacklist it if its stolen or lost.
They weren't ready to start getting into Certificates which is the recommended way to deploy BYOD as it provisions a unique credential per device. If its lost you can revoke the certificate through the My Devices or admin portal(s). They were aware that if a device was lost they would need to have the helpdesk reset their user AD credentials.
Here is a basic write-up on how this is done with ISE 2.x:
This is the setting that is used to not require an NSP under CPP. You don't need to do any configuration under CPP.
You could also use this for supporting devices that support Native Supplicant provisioning (windows, OSX, iOS and Android) by adding in CPP rules for those OS they would go through PEAP > EAP-TLS or OPEN > EAP-TLS (this would require config mentioned in design guides site) but for devices such as Windows Mobile or Blackberry would still be allowed access as registered only and would use the rules below.
Administration > System >Settings > Client Provisioning
So that your users are not required to click an install and just right to registration success. Under your Client Provisioning Policies remove any policies for NSP BYOD.
Hi, It seems tht ISE live logs display too many logs (every 10s) when i filter a particular mac address. Is there any way to get only the LIVE logs with no repeated failure reasons so tht I see only logs when there is status change like fail->pass...
I have a two node deployments, Primary Admin/MNT/PSN and Secondary Admin/MNT/PSN running ISE version 2.6 patch 2. This morning when I attempted to patch them with patch 3. I see this message in console: Application patch installation failed; Server=ISE_no...
Hi Community team, I need your help with the next case, maybe someone had the same issue I have a ASA5550 with 3 interface:- DMZ, INSIDE, OUTSIDE We have UDP traffic syslog from some host in the INSIDE LAN to the one server i...
Hello, We are using virtual ISE 2.4 patch 9 on VMWare. We also have a windows 2012 server as the DC on CA server. We are trying to authenticate a vm Win10 that is directly connected to a cisco 3850 switch. It works with PEAP/MSCHAPv...