cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5664
Views
0
Helpful
7
Replies

ISE 1.2 device registration with MAB only, no client provisioning

gnijs
Level 4
Level 4

Hello,

Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?

I do not want to push certificates or native supplicant profiles to client devices.

I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.

Then if MAC is known (in this group), skip registration and allow full access to the VLAN.

Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.

Am i really obliged to use native supplicant provisioning to register my device ?

GN

7 Replies 7

Peter Koltl
Level 7
Level 7

Yes, why not? NSP (Native Supplicant Provisioning) is not mandatory with Device Registration Webauth (DRW). Please post your authorization policy.

Muhammad Munir
Level 5
Level 5

Hi

Device Registration web auth is a process where you can configure user without client provisioning.

In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.

1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.

2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.

3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.

4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.

5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.

6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

Yes, i am aware of the Device Registration Web Auth where a user just needs to accept a AUP and then its mac gets added to a group. However, the user looses the ability to manage its own devices. I want to use this not for guests, but for corporate users and i want to keep a list of all macs that each user has added, and i want to also allow the users to manage their own devices (exactly the "My Devices" functionality), but without Client Provisioning.

OK, i think i found it myself.

ISE 1.2 gives you the options to continue if the proper Client Provisioning Policy cannot be found.

Administration -> System -> Settings -> Client Provisioning->Native Supplicant Provisioning Policy Unavailable

By default this is "Apply Defined Authorization Policy" and by default, this seems to be do not continue and give the message " A proper policy has not been defined. Contact your system administrator."

You can also put this on "Allow Network Access", then ISE continues and does not try Client Provisioning, but the MAC is recorded and the device is registered under the user name. Property "BYOD Registration Status" changes to yes.

Because the first entry reads "Apply Defined Authorization Policy", i guess you could create an Authorization policy that specifically matches this condition (? probably some attribute exists that matches this condition) and then apply your own policy....

Hi gnijs,

I have the same problem but when I set it to Allow Network Access, the ISE cannot get the MAC-Address when redirecting the client to device registration page. Did you have the same behaviour?

I've attached the screenshot.

Thanks for your help!

Which device are you testing with, If this is an ipad-mini I do not think support for that device is ready yet.

Thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: