Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
7
Replies

ISE 3.2 BYOD - Randomized MAC addresses - GUID

Go to solution
llomjaria
Level 1
Level 1

‎01-18-2024 04:53 AM

Hello,

I have a question regarding BYOD and randomized MAC addresses.

I have implemented Single SSID BYOD flow. Users are getting onboarding, ISE is the CA server and it sends certificates to them. I have found that in certificate template I can choose to use not only MAC address but MAC + GUID too. 

After successful onboarding, if MAC address changes ISE cannot identify device as BYOD Registered and users are redirected to BYOD onboarding portal again. 

My question is - how can I configure ISE to use GUID as device identifier ?

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to llomjaria

‎01-18-2024 02:12 PM

@llomjaria , the short answer is, you can't. See the following recent discussion on the similar topic.
https://community.cisco.com/t5/network-access-control/byod-solution-for-mac-randomized-endpoints/td-p/4994234

 

View solution in original post

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to llomjaria

‎01-21-2024 01:44 PM

No, the workaround to mitigate issues with MAC randomization is to remove authorization conditions that use the MAC address from your policies as per this Field Notice.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-18-2024 05:18 AM

check some reference discussion :

https://community.cisco.com/t5/network-access-control/ise-byod-mac-onboarding/m-p/3836332

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
llomjaria
Level 1
Level 1
In response to balaji.bandi

‎01-18-2024 05:25 AM

Thanks for the reply!

I have checked provided discussion but it is not related to my issue.

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to llomjaria

‎01-18-2024 02:12 PM

@llomjaria , the short answer is, you can't. See the following recent discussion on the similar topic.
https://community.cisco.com/t5/network-access-control/byod-solution-for-mac-randomized-endpoints/td-p/4994234

 

0 Helpful

Go to solution
llomjaria
Level 1
Level 1
In response to Greg Gibbs

‎01-19-2024 12:31 AM

@Greg Gibbs Thank you for the response!

So user should register the same device every time MAC changes?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to llomjaria

‎01-21-2024 01:44 PM

No, the workaround to mitigate issues with MAC randomization is to remove authorization conditions that use the MAC address from your policies as per this Field Notice.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎01-18-2024 06:44 AM

Did you check that the clients actually get the right attributes in their certificates pushed by ISE? if not, you might need to make sure that you associated the certificate profile to the client provisioning policy profile. If both are correct, please share your authorization rules for review.

0 Helpful

Go to solution
llomjaria
Level 1
Level 1
In response to Aref Alsouqi

‎01-18-2024 07:03 AM

Yes, clients get correct certificates.

Please check attachment

Preview file
32 KB
Preview file
23 KB
0 Helpful
Customers Also Viewed These Support Documents