ISE 1.2: Employee with personal device registration

Similar Messages

• ISE v1.1.2 onboarding without device registration?

  Hello experts,
  Is it possible for one to configure onboarding without having to register the device within the supplicant provisioning work flow? If so, how can it be accomplished?
  Any input is appreciated.
  Fadi Ashour

  You are correct if you choose to use only the dynamic profiling policies. However, when you use supplicant provisioning the device then gets statically assigned the registereddevices endpoint identity group. Future release should set an attribute for the endpoint (this is my assumption) while maintaining the dynamic profiling based on the endpoint OS.
  Here is a note in the release notes that make mention that these devices are registered in the registereddevices endpoint identity group:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mydevices.html#wp1070044
  Thanks,
  Sent from Cisco Technical Support iPad App

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• ISE device registration webauth with wlc 7.0 lwa

  Is it possible to use the DRW feature with WLCs running 7.0 code?  All configuration examples refer to 7.2 code.  Its only for guest user device registration.  No profiling / provisioning.
  Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
  Thanks.

  Hi,
  The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
  For your reference here is the item in the New Features section of the 7.2 WLC release notes:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Ise 1.2 Device Registration not auto filling the MAC field

  Hello
  I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
  Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
  90% of the users doesnt know what a MAC adress is, or where to find it.
  Greetings
  Steven

  Peter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
  Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration.  This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address.  This was a very limited feature introduced in 1.0.
  This feature should not be confused with the DRW or NSP flows for device registration.  For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7.  However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users.  That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
  I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices.  This makes future cleanup easier and maintains them separately from employee RegisteredDevices.  ISE 1.2 ERS API can be used to programmatically  to delete these endpoints periodically.
  Hope that helps to clarify.

• ISE 1.3 - My Device registration - different "access levels"?

  Hi,
  I am trying to figure out a way to let "special users" be able to register more than x-devices. In my lab I've restricted employees to 3 devices, but in some cases these "special users" must be able to register more that that. Is this possible without giving them access to the ISE-management?
  With "registration" I'm think of both onboarding and pre-registration in the My device portal. 
  Say that AD group XYZ (normal users) can register 3 devices, and group ABC can register 20. 
  If this is not possible or no easy workaround available, can it be a feature request? And how can I submit this as a feature request?

  Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
  I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
  ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
  Patrick

• ISE integration with Mobile Device Management ( MDM ) help required

  Dear Techies,
       Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
       We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
  Setup Brief :
  =========
        Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
       Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
  Activity Brief:
  =========
       As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
  Clarifications Required
  ================
  Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
  Wireless Scenario
  MDM can be integrated to ISE ? 
  How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
  What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
  If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
  Is MDM will do client provisioning or ISE should do ?
  Is MDM send or update patches of Mobile Devices ?
  As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
  Thanks for Reading...
  Arun

  I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
  Kindly let me know your views or any documents on the following scenarios with the current release in mind
  1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
  The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
  2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
  Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
  3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
  Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
  4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
  For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
  There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
  5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
  This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
  You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
  6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
  For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
  7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
  IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
  Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
  Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE 1.2 Guest Portal - Device registration portal

  Hello,
  I have a problem with the following setup:
  - Cisco ISE 1.2 (latest patch)
  - Cisco WiSM with 7.0.220.0 (first generation)
  I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
  We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
  Please can someone help me to find a solution for this problem?
  Thank you in advance.

  I know this might be reaching, but have you turned off the My Devices portal?
  If so, an idea of the different settings you have already tried might help.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2 Device registration problem

  I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
  I cannot seem to find any information on those errors from the manuals.
  What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
  ISE 1.2

  Hi Harri,
  What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
  If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
  https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
  Therefore if you are using the custom portal, can you instead try with a default portal?
  Thanks,
  Aastha

• Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

  Dear experts,
  We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.
  The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.
  All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.
  Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.
  Thanks in advance.
  Jay

  Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.
  The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.
  Anyways, thanks for all the support.

• ISE 1.3 IOS 8.1 Unsupported Browswer Error in Device Registration Page

  I recently upgraded to ISE 1.3.  We are now getting unsupported browser errors in the device registration redirect page on ipad and iphone IOS devices running 8.1.  We are running 7.6 as 8.0 was unstable with ISE1.2.1.  The device registration redirect page worked fine with these same devices in ISE 1.2.1.  Is there a work around short of turning off registration?  The "mydevices" page seams to work, but does not populate the mac addresses of the devices like the device registration page does.

  Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
  I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
  ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
  Patrick

• How do I skip the Device Registration Portal for Cisco ISE web portal

  I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!

  Hello Scoot,
  you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self  registration.
  I hope this works for you

• What is the "best" way to configure iTunes on an iMac with personal user acounts so each user can access the media library but sync devices on their personal user account?

  I am trying to determine the best way to set up our imac so each user account can access the same media (songs, movies etc.) through itunes and also back up and manage their personal devices under their own personal user account.  There are 4 users on our iMac.  Me, my wife, and our 2 children.  We have built an extensive library of music/media together using the same iTunes store account.  I would like to establish a seperate apple id and iTunes store account for each of us going forward but have the ability for each of us to share our purchases.  What is the best way to configure our system and devices in order to allow shared access to media and at the same time allow for individual management of devices including contacts, apps, photos, etc. Please help, I would like to do this once!
  Thank you in advance! 

  OK, seeing as no-one replied (presumably because a lot of this information is on the forums in bits elsewhere) here's how I've got on so far.
  Applications - just went through them.  About the only one I needed was my media server app.  Just downloaded and re-installed, had a quick look back though my email to find the license key and it all went on fine.  Installation never seemed quite right on my old machine so solved that problem too. 
  Movies - New iMovies just copied across the clips and projects into their respective folders.  Seems to have worked but haven't checked it all that thoroughly.  Some duplicate footage here but I can trim this out at some point when I get a chance to go through here. 
  Documents - Just copied these across. 
  Photos - used an app called iPhoto Library Manager.  You can download for free but have to pay to use the part that consolidates your libraries.  Possibly if I was willing to spend a bit more time I could have got away without using this but given I didn't know the state of my different libraries and just how many duplicates I had this was too much of a convenience to ignore.  Also got my library into a state where I can now spend a few hours organising it a bit better with Faces / Events etc. 
  Not attempted Music or iPhone sync yet as been stuck trying to solve a problem with my power adapter. 

• How are businesses handling the "APPLE LOCK" on company cell phones when an employee leaves and their phone is unusable because the euipment was set up on the employee's personal Apple Account with their ID and password?

  How are businesses handling the "APPLE LOCK" on company cell phones when an employee leaves and their phone is unusable because the euipment was set up on the employee's personal Apple Account with their ID and password?  When an employee leaves a business and the company has purchased the equipment, the company should have the rights to reissue the equipment and Apple should provide an alternative to unlock the equipment from the employee's personal APPLE account and password so the company (that purchased the equipment) can reissue the line and equipment to another employee.

  If you can prove ownership to Apple, they may be able to help you.
  The best way of handing things would be strong policies requiring that the equipment be turned in in a usable state. i.e. not activation locked. Failing this, the employee should be charged the cost of the replacement phone. Held from their final paycheck if required.

• Wireless Guest Portal with Device registration

  Hi,
  I have configured the ISE for wireless guest authentication. Once i got the guest portal and enter usernam/password, it redirecting to Self Provisioning portal for  Device Registration. (attached)
  I have unchecked the option "enable my device portal" under My Device-->Portal configuraiton (attached)
  Can someone please advise, why I'm still getting Self provisioning portal, although I might need this later for On-board provisioning, at this time I just want guest user authentication and allow access to internet.
  Thanks in advance.

  I think you should disable in the DefaultGuestPortal (Administration >> Web Portal Management >> Settings >> Guest >> Multi-Portal Configurations >> DefaultGuestPortal >> Operations  .... Uncheck the option Enable Self-Provisioning Flow
  Daniel Escalante.