Sponsored BYOD allows an administrator or other authorized employee to generate temporary credentials on behalf of another employee. These short-term credentials permit the select employee to register their personal device and optionally configure the native supplicant and provision certificates to that personal device for secure access to the corporate network using 802.1X.
This document was created by chyps for ISE 1.3 I will be testing this out on ISE 2.x at some point as well. I wanted to share this as some have asked on how to provide BYOD for users using Guest Credentials as they have a policy not to expose their AD credentials over wireless.
Current ISE limitations:
- Sponsor portal is intended to generate guest accounts only.
- ISE Device Registration and Native Supplicant Provisioning is intended foremployees or other non-guest accounts.
- Default ISE policy bypasses Device Registration and NSP for all guest users.
Solution:
- Manager uses ISE sponsor portal to create a guest account for an employee
- Guest username policy is set to match employee user ID, example email address.
- Manager assigns “guest” account to specific ID group, example “EmployeeNSP”
- New Authorization Policy rule matches ID group and applies NSP authorization.