cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11983
Views
35
Helpful
6
Comments
Jason Kunst
Cisco Employee
Cisco Employee

 

Overview

I was just recently asked how to do ISE BYOD (Bring Your Own Device) without the need for Native Supplicant and/or Certificate Provisioning.

This request was for a healthcare customer that wanted their staff to register their personal devices and to also limit how many of these devices can be registered for access to the network. This also give their users the ability to manage their devices via the My Devices Portal by adding in lightweight devices (such as kindles with a limited browser). They can also delete a device if they no longer are using it or blacklist it if its stolen or lost.

They weren't ready to start getting into Certificates which is the recommended way to deploy BYOD as it provisions a unique credential per device. If its lost you can revoke the certificate through the My Devices or admin portal(s). They were aware that if a device was lost they would need to have the helpdesk reset their user AD credentials.

 

Here is a basic write-up on how this is done with ISE 2.x:

 

This is the setting that is used to not require an NSP under CPP. You don't need to do any configuration under CPP.

 

You could also use this for supporting devices that support Native Supplicant provisioning (windows, OSX, iOS and Android) by adding in CPP rules for those OS they would go through PEAP > EAP-TLS or OPEN > EAP-TLS (this would require config mentioned in design guides site) but for devices such as Windows Mobile or Blackberry would still be allowed access as registered only and would use the rules below.

 

Administration > System >Settings > Client Provisioning

 

So that your users are not required to click an install and just right to registration success. Under your Client Provisioning Policies remove any policies for NSP BYOD.

 

Set how many devices can be used

Administration > Device Portal Management > Settings > Employee Registered Devices

 

There are 2 authz profiles

 

1 that sends back the WLC redirect ACL and to the BYOD/NSP portal

 

 

 

Another NSP that permits Access with the WLC ACL for permit access

- NOT SHOWN

 

And a blacklist that’s already built in

- NOT SHOWN

 

Authz rules 

 

Here are needed rules

 

Please rate my blog! Thanks!

6 Comments
Saius Exus
Level 1
Level 1

Nice configuration, did the same thing on my ISE.

Do you have a solution for getting the root ca certrificate that signed the eap cert of ISE to the clients?

Without this the connections from android for example would be vulnerable of identity theft. Or is there an easy way to check from ise if the certificate is installed on the clients?

Certificates and all would be fine but with android the way it is I prefere this solution without the need to download something from google play.

Jason Kunst
Cisco Employee
Cisco Employee

Please bring this up in the ISE community as a question

http://cs.co/ise-community

Marc Aemmer
Level 1
Level 1

Thank you Jason, very helpful post! We configured it exactly as described and it's working fine.

The only thing to complain is the status shown after a device is registered in the MyDevices Portal.

 

image.png

The status remains "Pending". Is this a normal behaviour?

 

Thanks and regards,

Marc

Jason Weids
Level 1
Level 1

What is the ACL_WEBAUTH_REDIRECT configuration?

MikeFulstow
Level 1
Level 1
I am trying to configure this in ISE 2.4.0.357, but I am unsure where the AuthZ rules are configured - there is no similar UI that I can find from the example above at the end of Jason's config example. I have been having trouble with clients completing the CA chain for EAP-TLS for BYOD so would like to try this is an alternative method for BYOD. Also as local admin rights are required for the EAP-TLS certificate import this is an issue for the users we want to use the service - they don't have elevated privileges. I am new to ISE at this level so any help would be gratefully received.

I did exactly the same but ISE still sends  a Native Supplicant to the Client asking to be downloaded, any ideas why? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: