Personal Devices on a Corporate Network (BYOD)
When supporting personal devices on a corporate network, you must protect network services and enterprise data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE provides the tools you need to allow employees to securely use personal devices on a corporate network.
Guests can automatically register their devices when logging in to the Guest portals. Guests can register additional devices up to the maximum limit that you define in their guest type. These devices are registered into endpoint identity groups based on the portal configuration.
Guests can add their personal devices to the network by running the native supplicant provisioning (Network Setup Assistant), or by adding their devices to the My Devices portal. You can create native supplicant profiles, which determine the proper native supplicant provisioning wizard to use, based on the operating system.
Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add these devices manually; or you can configure BYOD rules to register these devices.
End-User Device Portals in a Distributed Environment
Cisco ISE end-user web portals depend on the Administration, Policy Services, and Monitoring personas to provide configuration, session support, and reporting.
-
Policy Administration node (PAN): Configuration changes that you make to the users, devices, and end-user portals are written to the PAN.
-
Policy Service node (PSN): The end-user portals run on a PSN, which handles all session traffic, including: network access, client provisioning, guest services, posture, and profiling. If a PSN is part of a node group, and one node fails, the other nodes detect the failure and reset any pending sessions.
-
Monitoring node (MnT node): The MnT node collects, aggregates, and reports data about the end-user and device activity on the My Devices, Sponsor, and Guest portals. If the primary MnT node fails, the secondary MnT node automatically becomes the primary MonT node.
Global Settings for Device Portals
You can configure the following general settings for the BYOD and My Devices portals:
-
Employee Registered Devices: Enter the maximum number of devices that an employee can register in Restrict employees to. By default, this value is set to 5 devices.
-
Retry URL: Enter a URL that can be used to redirect the device back to Cisco ISE in Retry URL for onboarding.
Once you configure these general settings, they apply to all BYOD and My Devices portals that you set up for your company.