Once you configure these general settings, they apply to all BYOD and My Devices portals that you set up for your company.

The BYOD deployment flows that support personal devices vary slightly based on these factors:

• Single or dual SSID—With single SSID, the same WLAN is used for certificate enrollment, provisioning, and network access. In a dual SSID deployment, there are two SSIDs: one provides enrollment and provisioning, and the other provides secure network access.

• Windows, MacOS, iOS, or Android device—The native supplicant flow starts similarly, regardless of the device type, by redirecting employees using a supported personal device to the BYOD portal to confirm their device information. The process diverges based on device type.

Employee Connects to Network

1. Employee Credentials Are Authenticated—Cisco ISE authenticates the employee against the corporate Active Directory or other corporate identity stores and provides an authorization policy.

2. Device Is Redirected to the BYOD Portal—The device is redirected to the BYOD portal. The device’s MAC address field is automatically preconfigured, and the user can add a device name and description.

3. Native Supplicant Is Configured (MacOS, Windows, iOS, Android)—The native supplicant is configured; but the process varies by device:

   • MacOS and Windows devices—Employee clicks Register in the BYOD portal to download and install the supplicant provisioning wizard (Network Setup Assistant), which configures the supplicant and provides the certificate (if necessary) used for EAP-TLS certificate-based authentication. The issued certificate is embedded with the device's MAC address and employee's username.

     Note	Network Setup Assistant cannot be downloaded to a Windows device, unless the the user of that device has administrative priveleges. If you cannot grant end users administrative priveleges, then use your GPO to push the certificate to the user's device, instead of using the BYOD flow.

   • iOS devices—The Cisco ISE policy server sends a new profile using Apple’s iOS over the air to the IOS device, which includes:

     • The issued certificate (if configured) is embedded with the IOS device's MAC address and employee's username.

     • A Wi-Fi supplicant profile that enforces the use of EAP-TLS for 802.1X authentication.

   • Android devices—Cisco ISE prompts and routes employee to download the Cisco Network Setup Assistant (NSA) from the Google Play store. After installing the app, the employee can open NSA and start the setup wizard, which generates the supplicant configuration and issued certificate used to configure the device.

4. Change of Authorization Issued—After the user goes through the on boarding flow, Cisco ISE initiates a Change of Authorization (CoA). This causes the MacOS X, Windows, and Android devices to reconnect to the secure 802.1X network. For single SSID, iOS devices also connect automatically, but for dual SSID, the wizard prompts iOS users to manually connect to the new network.

Note	You can configure a BYOD flow that does not use supplicants. See the Cisco ISE Community document https:/​/​supportforums.cisco.com/​blog/​12705471/​ise-byod-registration-only-without-native-supplicant-or-certificate-provisioning.

Note

Check the Enable if Target Network is Hidden check box only when the actual Wi-Fi network is hidden. Otherwise, Wi-Fi network configuration may not be provisioned properly for certain iOS devices, especially in the single SSID flow (where the same Wi-Fi network/SSID is used for both onboarding and connectivity).

BYOD Session Endpoint Attribute

The state of the endpoint attribute BYODRegistration changes during the BYOD flow to the following states.

• Unknown—The device has not been through a BYOD flow.

• Yes—The device has been through BYOD flow, and is registered.

• No—The device has been through BYOD flow, but is not registered. This means that the device was deleted.

Device Registration Status Endpoint Attribute

The state of the endpoint attribute DeviceRegistrationStatus changes during device registration to the following states.

• Registered—The device has been through BYOD flow, and it is registered. There is a 20-minute delay before the attribute changes from pending to registered.

• Pending—The device has been through BYOD flow, and it is registered. But, ISE has not seen it on the network.

• Not Registered—The device has not been through BYOD flow. This is the default state of this attribute.

• Stolen— The user logs onto the MyDevices portal, and marks a currently onboarded device as Stolen. When this happens:

  • If the device was onboarded by provisioning a certificate and a profile, ISE revokes the certificate that was provisioned to the device, and assigns the device’s mac address to the Blacklist identity group. That device no longer has network access.

  • If the device was onboarded by provisioning a profile (no certificate), ISE assigns the device to the Blacklist endpoint identity group. The device will still have network access, unless you create an authorization policy for this situation. For example, IF Endpoint Identity Group is Blacklist AND BYOD_is_Registered THEN DenyAccess.

  An Administrator performs an action that disables network access for several devices, such as deleting or revoking a certificate.

  If a user reinstates a stolen device, the status reverts to not registered. The user must delete that device, and add that it back. That starts the onboarding process.

• Lost—The user logs on to the MyDevices portal, and marks a currently onboarded device as Lost. That causes the following actions:

  • That device is assigned to Blacklist identity group.

  • Certificates provisioned to the device are not revoked.

  • The device status is updated to Lost.

  • “BYODRegistration” is updated to No.

  A lost device still has network access unless you create an authorization policy to block lost devices. You can use the Blacklist identity group or the endpoint:BYODRegistration attribute in your rule. For example, IF Endpoint Identity Group is Blacklist AND EndPoints:BYODRegistrations Equals No THEN BYOD. For more granular access, you can also add NetworkAccess:EAPAuthenticationMethod Equals PEAP or EAP-TLS or EAP-FAST” , InternalUser:IdentityGroup Equals <<group>> to the IF part of the rule.

Native supplicants are supported for these operating systems:

• Android (excluding Amazon Kindle, B&N Nook)

• Mac OS X (for Apple Mac computers)

• Apple iOS devices (Apple iPod, iPhone, and iPad)

• Microsoft Windows 7, 8 (excluding RT), Vista, and 10

Employees using credentialed Guest portals can register their personal devices. The self-provisioning flow supplied by the BYOD portal enables employees to connect devices to the network directly using native supplicants, which are available for Windows, MacOS, iOS, and Android devices.

You can provide information that enables employees, who encounter a problem while registering their personal devices using the BYOD portal to reconnect with the registration process.

To support the Cisco ISE end-user web portals, you must enable portal-policy services on the node on which you want to host them.

If you do not want to use the default certificates, you can add a valid certificate and assign it to a certificate group tag. The default certificate group tag used for all end-user web portals is Default Portal Certificate Group.

Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also includes certificate authentication profiles that you need for certificate-based authentications.

Cisco ISE groups endpoints that it discovers in to the corresponding endpoint identity groups. Cisco ISE comes with several system-defined endpoint identity groups. You can also create additional endpoint identity groups from the Endpoint Identity Groups page. You can edit or delete the endpoint identity groups that you have created. You can only edit the description of the system-defined endpoint identity groups; you cannot edit the name of these groups or delete them.

Cisco ISE provides a single Blacklist portal that displays information when a lost or stolen device that is blacklisted in Cisco ISE is attempting to access your corporate network.

You can only edit the default portal settings and customize the default message that displays for the portal. You cannot create a new Blacklist portal, or duplicate or delete the default portal.

You can provide a Bring Your Own Device (BYOD) portal to enable employees to register their personal devices, so that registration and supplicant configuration can be done before allowing access to the network.

You can create a new BYOD portal, or you can edit or duplicate an existing one. You can delete any BYOD portal, including the default portal provided by Cisco ISE.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can provide a Client Provisioning portal to enable employees to download either the Cisco AnyConnect posture component or the Cisco NAC agent, which verifies the posture compliance of the device before allowing access to the network.

You can create a new Client Provisioning portal, or you can edit or duplicate an existing one. You can delete any Client Provisioning portal, including the default portal provided by Cisco ISE.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can provide a Mobile Device Management (MDM) portal to enable employees to manage their mobile devices that are registered for use on your corporate network.

You can create a new MDM portal, or you can edit or duplicate an existing one. You can have a single MDM portal for all of your MDM systems or you can create a portal for each system. You can delete any MDM portal, including the default portal provided by Cisco ISE. The default portal is for third-party MDM providers.

You can create a new MDM portal, or you can edit or duplicate an existing one. You can delete any MDM portal, including the default portal provided by Cisco ISE. The default portal is for third-party MDM providers.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can provide a My Devices portal to enable employees to add and register their personal devices that do not support native supplicants and cannot be added using the Bring Your Own Device (BYOD) portal. You can then use the My Devices portal to manage all devices that have been added using either portal.

You can create a new My Devices portal, or you can edit or duplicate an existing one. You can delete any My Devices portal, including the default portal provided by Cisco ISE.

Any changes that you make to the Page Settings on the Portal Behavior and Flow Settings tab are reflected in the graphical flow in the device portal flow diagram. If you enable a page, such as the Support Information page, it appears in the flow and the employee will experience it in the portal. If you disable it, it is removed from the flow.

You can customize the portal appearance and user (guests, sponsors, or employees as applicable) experience by customizing the portal themes, changing UI elements on the portal pages, and editing error messages and notifications that display to the users. For more information about customizing portals, see Customization of End-User Web Portals.

You can locate devices added by a specific employee using the Portal User field displayed on the Endpoints listing page. This might be useful if you need to delete devices registered by a specific user. By default, this field does not display, so you must enable it first before searching.

Employees cannot add a device that was already added by another employee, and that device is still in the endpoints database.

If employees attempt to add a device that already exists in the Cisco ISE database:

• And it supports native supplicant provisioning, we recommend adding the device through the BYOD portal. This overwrites any registration details that were created when it was initially added to the network.

• If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then first resolve ownership of the device. If appropriate, you can remove the device from the endpoints database using the Admin portal, so that the new owner can successfully add the device using the My Devices portal.

Note

When an employee deletes a device from the My Devices portal, the device is removed from the employee’s list of registered devices, but the device remains in the Cisco ISE endpoints database and displays in the Endpoints list.

To permanently delete the device from the Endpoints page, choose Administration > Identity Management > Identities > Endpoints .

The My Devices Login and Audit report is a combined report that tracks:

• Login activity by employees at the My Devices portal.

• Device-related operations performed by the employees in the My Devices portal.

This report is available at: Operations > Reports > Guest Access Reports > My Devices Login and Audit.

The Registered Endpoints report provides information about all the endpoints that are registered by employees. This report is available at: Operations > Reports > Endpoints and Users > Registered Endpoints. You can run a query on the following: identity, endpoint ID, identity profile, and the like, and you can generate a report. For information on supplicant provisioning statistics and related data, see Viewing Client Provisioning Reports.

You can query the endpoint database for endpoints that are assigned to the RegisteredDevices endpoint identity group. You can also generate reports for specific users that have the Portal User attribute set to a non-null value.

The Registered Endpoints Report provides information about a list of endpoints that are registered through device registration portals by a specific user for a selected period of time.