04-27-2017 03:14 PM
I am working to replicate the Clear pass features on the ISE and I am struggling so I need some expert direction to configure the ISE 2.2
Clear pass features
BYOD users will be created by connecting to Guest SSID and having an additional portal option that allows for internal users to register for a BYOD account. This portal option will allow only users with a matching e-mail domain string to register. Once registed on the portal the user will reconnect to BYOD 802.1x ssid using their e-mail address as a username and the password mailed to the user.
This is works with on boarding 1 x of their devices per user.
It needs to be presented to the customer in monthly report for each users registerd which devices.
BYOD device should be purge every month .. and they have to re-register their device again ..
whole idea is to keep the wireless and ISE completely separate from Internal network infrastructure.. so federation is available to verify the users and only way to work out with the user is to lock them down to their email address and use email as federation mechnisum..
Clear pass is working nicely but the customer is moving to ISE .. so need some help with this..
Thanks,
Nilay.
Solved! Go to Solution.
04-27-2017 05:29 PM
byod works with internal accounts
we don't have an email address verification or validation
there is no approval flow or notification
seems like you want a guest registration approval flow and use guest account to go through on boarding?
04-27-2017 05:02 PM
Nilay,
Don't have an answer for you yet, but I am curious why they don't want to AD integrate ISE or LDAP integrate ISE to AD?
04-27-2017 05:44 PM
It is little complex to explain but security reasons due to high profile customer.. It is one of the mandatory requirement in requirement paper..
04-27-2017 05:29 PM
byod works with internal accounts
we don't have an email address verification or validation
there is no approval flow or notification
seems like you want a guest registration approval flow and use guest account to go through on boarding?
04-27-2017 05:52 PM
How about.. allowing it to register BYOD devices as guest self registers portal with septate link .. and that registers devices or with approved username and password will allow to use BYOD 802.1x SSID only.. not guest..
Can device onboardig can be configured with guest portal?
Can two link will be available on Guest Page.. 1> Guest registration and 2> BYOD registration
BYOD registration devices falls under it's own container and BYOD 802.1X looks that container for authentication
Guest self registration falls under it's own container and Guest portal look that container to authenticate guest
During both process Sponser or BYOD owner should receive an email with authentication details
That sponser/BYOD owner email address should be locked down via domain string
Reason is
Guest should allow 1 day access but company employee using BYOD should have month access.
I kind of worked out Guest portal to customise but not usre how do I populate two links and also restric one with another..
any thoughts ideas???
I have now created two more post.. one of Guest and one for BYOD.. in addition to this post.. just to track individual request..
Main reason I am struggling to get customer in confidence is because clear pass is working .. and ISE needs to work .. or come close to it.. without AD integration.
04-27-2017 06:01 PM
How is Clearpass validating the email address is from a valid employee?
And how would the sponsors log into the sponsor portal to create guest accounts if the sponsor portal is not tied to AD?
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
04-27-2017 06:23 PM
On clear pass.. employee email address is whilte listed with email domain.. so it will beo @xyz.com and you are only allowed to enter the email id not domain.. so that is one lock
second , for BYOD or Guest both registatration link comes on the guest portal page.. so you connect to guest SSID .. page comes up with guest username and password two links to follow..
Need Guest account: click
Register BYOD: Click
BYOD registration: you enter your email address and loing details will be send to your email address which can be used to loin to BYOD SSID.
Guest Registration: you fill out the form.. again login details will be send to your corporate account and you provided to your guest and they are on..
so none of the instance requires you to login to controller.. just create rendom id.. I can do it with ISE same thing as well. .but I don't know how to collaborate in one page and get it seamless flow.. and also devided authentication container..
I hope that explains..
Thanks,
Nilay.
04-27-2017 06:07 PM
Let's take this offline and discuss
Send me private message
Sent from my iPhone
04-27-2017 06:24 PM
Sure .. I think once you approve me then only I can send you the private message.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide