Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
2
Helpful
8
Replies

BYOD without AD integration via ISE

Go to solution
vyas.nilay
Level 1
Level 1

‎04-27-2017 03:14 PM

I am working to replicate the Clear pass features on the ISE and I am struggling so I need some expert direction to configure the ISE 2.2

Clear pass features

BYOD users will be created by connecting to Guest SSID and having an additional portal option that allows for internal users to register for a BYOD account. This portal option will allow only users with a matching e-mail domain string to register.  Once registed on the portal the user will reconnect to BYOD 802.1x ssid using their e-mail address as a username and the password mailed to the user.

This is works with on boarding 1 x of their devices per user.

It needs to be presented to the customer in monthly report for each users registerd which devices.

BYOD device should be purge every month .. and they have to re-register their device again ..

whole idea is to keep the wireless and ISE completely separate from Internal network infrastructure.. so federation is available to verify the users and only way to work out with the user is to lock them down to their email address and use email as federation mechnisum..

Clear pass is working nicely but the customer is moving to ISE .. so need some help with this..

Thanks,

Nilay.

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-27-2017 05:29 PM

byod works with internal accounts

we don't have an email address verification or validation

there is no approval flow or notification

seems like you want a guest registration approval flow and use guest account to go through on boarding?

View solution in original post

0 Helpful
8 Replies 8

Go to solution
paul
Level 10
Level 10

‎04-27-2017 05:02 PM

Nilay,

Don't have an answer for you yet, but I am curious why they don't want to AD integrate ISE or LDAP integrate ISE to AD?

0 Helpful

Go to solution
vyas.nilay
Level 1
Level 1
In response to paul

‎04-27-2017 05:44 PM

It is little complex to explain but security reasons due to high profile customer..  It is one of the mandatory requirement in requirement paper..

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-27-2017 05:29 PM

byod works with internal accounts

we don't have an email address verification or validation

there is no approval flow or notification

seems like you want a guest registration approval flow and use guest account to go through on boarding?

0 Helpful

Go to solution
vyas.nilay
Level 1
Level 1
In response to Jason Kunst

‎04-27-2017 05:52 PM

How about.. allowing it to register BYOD devices as guest self registers portal with septate link .. and that registers devices or with approved username and password will allow to use BYOD 802.1x SSID only.. not guest..

Can device onboardig can be configured with guest portal?

Can two link will be available on Guest Page.. 1> Guest registration and 2> BYOD registration

BYOD registration devices falls under it's own container and BYOD 802.1X looks that container for authentication

Guest self  registration falls under it's own container and Guest portal look that container to authenticate guest

During both process Sponser or BYOD owner should receive an email with authentication details

That sponser/BYOD owner email address should be locked down via domain string

Reason is

Guest should allow 1 day access but company employee using BYOD should have month access.

I kind of worked out Guest portal to customise but not usre how do I populate two links and also restric one with another..

any thoughts ideas???

I have now created two more post.. one of Guest and one for BYOD.. in addition to this post.. just to track individual request..

Main reason I am struggling to get customer in confidence is because clear pass is working .. and ISE needs to work .. or come close to it.. without AD integration.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to vyas.nilay

‎04-27-2017 06:01 PM

How is Clearpass validating the email address is from a valid employee?

And how would the sponsors log into the sponsor portal to create guest accounts if the sponsor portal is not tied to AD?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
vyas.nilay
Level 1
Level 1
In response to paul

‎04-27-2017 06:23 PM

On clear pass.. employee email address is whilte listed with email domain.. so it will beo @xyz.com and you are only allowed to enter the email id not domain.. so that is one lock

second ,  for BYOD or Guest both registatration link comes on the guest portal page.. so you connect to guest SSID .. page comes  up with guest username and password two links to follow..

Need Guest account: click

Register BYOD: Click

BYOD registration: you enter your email address and  loing details will be send to your email address which can be used to loin to BYOD SSID.

Guest Registration: you fill out the form.. again login details will be send to your corporate account and you provided to your guest and they are on..

so none of the instance requires you to login to controller.. just create rendom id.. I can do it with ISE same thing as well. .but I don't know how to collaborate in one page and get it seamless flow.. and also devided authentication container..

I hope that explains..

Thanks,

Nilay.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vyas.nilay

‎04-27-2017 06:07 PM

Let's take this offline and discuss

Send me private message

Sent from my iPhone

0 Helpful

Go to solution
vyas.nilay
Level 1
Level 1
In response to Jason Kunst

‎04-27-2017 06:24 PM

Sure .. I think once you approve me then only I can send you the private message.

Customers Also Viewed These Support Documents