ISE BYOD: Dual vs. Single SSID Onboarding

howon · ‎07-27-2017

In general it is recommended to minimize number of SSIDs. Also, if the guest access is using hotspot access then single-SSID BYOD is recommended as the open SSID using hotspot portal cannot be used for initial BYOD portal at the same time. With Single-SSID BYOD, the endpoint associates to a secure WLAN gets onboarded then after the endpoint automatically reconnects the endpoint is granted full network access via same WLAN.

If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access. When the ISE confirms that the user is an employee user, then ISE will direct the user to the BYOD flow where the endpoint gets onboarded. Once provisioned with the WLAN settings and possibly CA signed certificate, then the endpoint is reconnected to the secured WLAN for full network access.

	Single SSID	Dual SSID
Pros	User experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user intervention This is a unique capability of ISE where competitor solution forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portal	Some organizations prefer having a dedicated SSID for on-boarding devices. Can provide visible guidance to the user on the BYOD process before logging in Better security: User can confirm that the BYOD server is legitimate as the user does not get prompted to manually trust the EAP certificate ID Store is LDAP and cannot start with PEAP with MSCHAPv2 currently to LDAP store Wired deployment where cannot assume client already has 802.1X enabled on wired interface Can be configured to use secured SSID that is not broadcasting In the case of dual-SSID flow, BYOD portal can be configured to allow guest access if employee does not want to go through the BYOD flow
Cons	When end users connect to the SSID for the first time there is no easy way to validate whether server provided certificate is from the trusted source	Fast-SSID change setting needs to be enabled on the WLC to accommodate iOS devices Others see dual SSID as an extra management burden. A second SSID adds channel overhead and may degrade wireless performance Requires iOS users to manually switch SSID

GQ · ‎07-27-2017

Great consolidation. I would add that I had a fairly consistent experience across the 4 major OS types using single SSID, so it seems like a strong candidate to me.

Perhaps the dual approach might be good if we're already using an open SSID for guests

Guillaume BARBEROT · ‎10-29-2019

Hello howon

You put "Fast-SSID change setting needs to be enabled" as a "con" to single-SSID solution (if i understand your table correctly)

Refering to : https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0100100.html#concept_oqt_gmv_4x__section_awc_yjr_fz

I understand that Fast-SSID needs to be enabled for dual-SSID solution, so i would have set this "con" for dual-SSID solution (so in the box on the right in your table)

Can you clarify that ?

Thanks,

Guillaume

howon · ‎10-29-2019

Guillaume, thanks, corrected. Surprising it was never brought up till now.

feene1 · ‎08-24-2020

Isn't there a large risk when running Single SSID? The user needs to make sure that the server cert is a trusted cert when authenticating with username and password. Otherwise credentials could be taken by a rogue impersonator correct? I have noticed some mobile platforms not taking invalid certs seriously ie Andriod. For that matter users... :)