Plz tell me anyone which i can implement easily

We want to use Samsung tablet, iPhone, TV with that corporate SSID plz suggest any good configuration. I heard about BYOD but don know the concept.

Can we this this BYOD for all non domain devices ?

not sure what WLC and what Radius you using : here is latest Cat9800 controller config :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

If you looking webauth :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

If I talk about wlc using legacy devices 4400 wlc with 7.2 or 7.0 version.

Radius i am using Cisco ise with 3.0 version.

Now plz let me know what options are available to complete the setup 

7.2 is too old for me, but the above mentioned URL still valid for you to deploy and test it.

(if you are not sure, then we suggest to hire a consultant who can integrate for you)

Hello Team,

I am using single said corporate SSID for corporate device which has been joining domain and using eap peap. With same SSID i want to connect some samsung tablet which are not domain joined devices.here i am thinking below steps could you plz help me if i am thinking correct or not.

_---------------------------

if you have a domain joined laptop with AD user.

Laptop tries to join corp SSID.

WLC send the request to ISE to check

ISE checks that the laptop is domain joined perfect

then ISE checks if the AD user is valid

then ISE authenticate the user and he has access to the internal network + internet

correct?

-------------------------

now you have a tablet which is not domain joined but has AD user

tablet tries to join corp SSID

WLC send the request to ISE to check

ISE checks that the laptop is not domain joined and not allow the access to internal network + internet

correct?

-----------------------------------------------------

and now, you add OR Condition to ISE where it checks if the device is domain join

so

condition will be:

Is device domain joined or is device mac address from the list?

Yes - allow, no- deny

ow you have a tablet which is not domain joined but has AD user

tablet tries to join corp SSID

WLC send the request to ISE to check

ISE checks that the tab is not domain joined, but the MAC address is on the list -> allow

then ISE checks if the AD user is valid

then ISE authenticate the user and he has access to the internal network + internet.

-----------------------------

-----------------------------------------------------------------
over the wlc i have configured [WPA2][Auth(802.1X)] for the corp ssid.

----------------------

if my understanding is correct 

because here i am using same corp ssid for both devices which are domain joined and some are not domain joined but making some policy over the cisco ISE for mac addressess

unless you are using AnyConnect or EAP-TEAP your not going to be able to check both machine and user credentials. As you need eap chaining to do two different authentications.

Would suggest:

EAP-TLS (User certificates deployed via Group Policy to laptops) - these get corp access

EAP-PEAP (users with the BYOD user group) get access to BYOD

You could potentially look at other RADIUS attributes that a corporate device provides and see if one of them is able to be used in the policy, but i havent seen that work well before

My corporate laptop is using one corporate SSID. Using eap peap

Can I make any policy over Cisco ise to allow some non domain device mac address who want to connect our this corporate SSID?

Any other option plz let me know.