I am learning for the 300-375 certification and there is a chapter about the BYOD solution.
In case of Dual SSID, here is what is explained :
In a dual SSID design, there are some additional considerations:
The provisioning SSID can be either open or password protected. When the provisioning SSID is open, any user can connect to the SSID, whereas if it is password protected, then only users that have credentials, such as AD group membership, are allowed to connect to the SSID. In this design guide, the provisioning SSID is configured to be open and its only purpose is to provide on-boarding services.
After the device is provisioned, it is assumed that the user will switch to the second SSID for regular network access. To prevent the user from staying connected to the provisioning SSID, an access list that provides only access to ISE, DHCP, and DNS must be enforced on the provisioning SSID. The details of the ACL_Provisioning_Redirect ACL are shown below.
If I well understood, does it mean the guests will connect to the provisionning SSID only, and will be able to go to the internet ? While the employees will have to connect to the provisionning SSID, then connect to the 2nd SSID and put their AD credentials ?
1. New User connects to SSID-WELCOME 2. Cisco ISE checks to see if this user is allowed access -Most of the time username/password is integrated to AD
3. New User receives connection instructions. Connection Profile is installed on user -This connection profile is related to the SSID-WORK
4. User transfers to SSID-WORK
-User should be able to authenticate directly with no issues using high security connections such as EAP-TLS
All in all the SSID-WELCOME is a Provisioning SSID. from the name itself, it aids the user on w/c SSID he is allowed to connect.
Also, it is not limited to ONLY a single SSID. You can have one provisioning SSID and multiple network/office work related SSIDs and the guest SSID. The user will get all the details via the provisioning SSID, and the network profile that it gives out is w/c ever office/network related SSID you are in, yes including guest
For your question, well, it depnds on how the SSID was configured, BUT TYPICALLY, if it is a dedicated provisioning SSID, then the guest WONT get internet from the provisioning SSID. Again, the guest user will get connection information from the Prov.-SSID, and the Prov-SSID will instruct the user to connect to a proper SSID.