Administration Node

Any configuration changes you make to users or devices on the end-user portals are written to the Administration node.

Policy Services Node

You must run the end-user portals on a Policy Services Node, which handles all session traffic, including: network access, client provisioning, guest services, posture, and profiling. If the Policy Service Node is part of a node group, and the node fails, the other nodes detect the failure and reset any pending sessions.

Monitoring Node

The Monitoring node collects, aggregates, and reports data about the end user and device activity on the My Devices, Sponsor, and Guest portals. If the primary Monitoring node fails, the secondary Monitoring node automatically becomes the primary Monitoring node.

You can allow employees to register between 1 and 100 personal devices. Regardless of the portal that employees used to register their personal devices, this setting defines the maximum number of devices registered across all portals.

Employee Connects to Network

• Single SSID—Employees connect the device to the 802.1X SSID by entering their corporate username and password.

• Dual SSID—Employees connect to the open guest provisioning SSID and are redirected to the credentialed Guest portal. You must check Allow employees to use personal devices on the network in BYOD Settings in the credentialed Guest portal to enable this functionality.

Employee Credentials Are Authenticated

Cisco ISE authenticates the employee against the corporate Active Directory or other corporate identity stores and provides an authorization policy.

Device Is Redirected to the BYOD Portal

The device is redirected to the BYOD portal. The device’s MAC address is automatically preconfigured, but employees can verify and add a description.

Native Supplicant Is Configured (MacOS, Windows, iOS, Android)

The native supplicant is configured; but the process varies by device:

• MacOS and Windows devices—Employee clicks Register in the BYOD portal to download and install the supplicant provisioning wizard, which configures the supplicant and provides the certificate (if required).

• iOS devices—The Cisco ISE policy server sends a new profile using Apple’s iOS over-the-air to the IOS device, which includes:

  • The issued certificate (if configured) embedded with the IOS device's MAC address and employee's username.

  • A Wi-Fi supplicant profile that enforces the use of MSCHAPv2 or EAP-TLS for 802.1X authentication.

• Android devices—Cisco ISE prompts and routes employee to download the Cisco Network Setup Assistant (NSA) from Google Play. After installing the app, the employee can open NSA and start the setup wizard, which generates authentication parameters and initiates a certificate request (if required) for device certification.

Change of Authorization Issued

Cisco ISE initiates a Change of Authorization (CoA) and connects the MacOS X, Windows, and Android devices to the secure 802.1X network. For single SSID, iOS devices also connect automatically, but for dual SSID, the wizard prompts iOS users to manually connect to the new network.

Note

You must check the Enable if Target Network is Hidden check box only when the actual Wi-Fi network is hidden. Otherwise, Wi-Fi network configuration may not be provisioned properly for certain iOS devices, especially in the single SSID flow (where the same Wi-Fi network/SSID is used for both onboarding and connectivity).

Native supplicants are supported for these operating systems:

• Android (excluding Amazon Kindle, B&N Nook)

• Mac OS X (for Apple Mac computers)

• Apple iOS devices (Apple iPod, iPhone, and iPad)

• Microsoft Windows 7 and 8 (excluding RT), Vista, and XP

Employees using credentialed Guest portals can register their personal devices. The self-provisioning flow supplied by the BYOD portal enables employees to connect devices to the network directly using native supplicants, which are available for Windows, MacOS, iOS, and Android devices.

You can provide information that enables employees, who encounter a problem while registering their personal devices using the BYOD portal to reconnect with the registration process.

To support the Cisco ISE end-user web portals, you must enable portal-policy services on the node on which you want to host them.

If you do not want to use the default certificates, you can add a valid certificate and assign it to a certificate group tag. The default certificate group tag used for all end-user web portals is Default Portal Certificate Group.

Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also includes certificate authentication profiles that you need for certificate-based authentications.

Cisco ISE groups endpoints that it discovers in to the corresponding endpoint identity groups. Cisco ISE comes with several system-defined endpoint identity groups. You can also create additional endpoint identity groups from the Endpoint Identity Groups page. You can edit or delete the endpoint identity groups that you have created. You can only edit the description of the system-defined endpoint identity groups; you cannot edit the name of these groups or delete them.

Cisco ISE provides a single Blacklist portal that displays information when a lost or stolen device that is blacklisted in Cisco ISE is attempting to access your corporate network.

You can only edit the default portal settings and customize the default message that displays for the portal. You cannot create a new Blacklist portal, or duplicate or delete the default portal.

You can provide a Bring Your Own Device (BYOD) portal to enable employees to register their personal devices, so that registration and supplicant configuration can be done before allowing access to the network.

You can create a new BYOD portal, or you can edit or duplicate an existing one. You can delete any BYOD portal, including the default portal provided by Cisco ISE.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can provide a Client Provisioning portal to enable employees to download either the Cisco AnyConnect posture component or the Cisco NAC agent, which verifies the posture compliance of the device before allowing access to the network.

You can create a new Client Provisioning portal, or you can edit or duplicate an existing one. You can delete any Client Provisioning portal, including the default portal provided by Cisco ISE.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can provide a Mobile Device Management (MDM) portal to enable employees to manage their mobile devices that are registered for use on your corporate network.

You can create a new MDM portal, or you can edit or duplicate an existing one. You can have a single MDM portal for all of your MDM systems or you can create a portal for each system. You can delete any MDM portal, including the default portal provided by Cisco ISE. The default portal is for third-party MDM providers.

You can create a new MDM portal, or you can edit or duplicate an existing one. You can delete any MDM portal, including the default portal provided by Cisco ISE. The default portal is for third-party MDM providers.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can provide a My Devices portal to enable employees to add and register their personal devices that do not support native supplicants and cannot be added using the Bring Your Own Device (BYOD) portal. You can then use the My Devices portal to manage all devices that have been added using either portal.

You can create a new My Devices portal, or you can edit or duplicate an existing one. You can delete any My Devices portal, including the default portal provided by Cisco ISE.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can customize the portal appearance and user (guests, sponsors, or employees as applicable) experience by customizing the portal themes, changing UI elements on the portal pages, and editing error messages and notifications that display to the users.

You can locate devices added by a specific employee using the Portal User field displayed on the Endpoints listing page. This might be useful if you need to delete devices registered by a specific user. By default, this field does not display, so you must enable it first before searching.

Employees cannot add a device, if another employee has previously added it such that the device already exists in the Cisco ISE endpoints database.

If employees attempt to add a device that already exists in the Cisco ISE database:

• And it supports native supplicant provisioning, we recommend adding the device through the BYOD portal. This will overwrite any registration details that were created when it was initially added to the network.

• If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device first. If appropriate, you can remove the device from the endpoints database using the Admin portal, so that the new owner can successfully add the device using the My Devices portal.

When an employee deletes a device from the My Devices portal, the device is removed from the employee’s list of registered devices, but the device remains in the Cisco ISE endpoints database and displays in the Endpoints list.

To permanently delete the device from the Endpoints page, choose Administration > Identity Management > Identities > Endpoints.

The My Devices Login and Audit report is a combined report that tracks:

• Login activity by employees at the My Devices portal.

• Device-related operations performed by the employees in the My Devices portal.

This report is available at: Operations > Reports > Guest Access Reports > My Devices Login and Audit.

The Registered Endpoints report provides information about all the endpoints that are registered by employees. This report is available at: Operations > Reports > Endpoints and Users > Registered Endpoints. You can run a query on the following: identity, endpoint ID, identity profile, and the like, and you can generate a report. For information on supplicant provisioning statistics and related data, see Viewing Client Provisioning Reports.

You can query the endpoint database for endpoints that are assigned to the RegisteredDevices endpoint identity group. You can also generate reports for specific users that have the Portal User attribute set to a non-null value.

The Registered Endpoints Report provides information about a list of endpoints that are registered through device registration portals by a specific user for a selected period of time.