View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0190 - ISE 1.3 BYOD Wireless Onboarding with Dual SSID (Internal CA) (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video demonstrates wireless device onboarding with dual SSID and Cisco ISE 1.3 Internal CA. With the internal CA configured in the previous video, we continues to complete the remaining configuration to provide wireless BYOD solution including; login web portal, required authentication, authorization, and client provisioning policies. We will step through the entire onboarding process and test device management via MyDevices portal on iPad, Android and Windows computer. 
Part 2 of this video focuses on configuration validation and device onboarding testing
  • Active Directory User Group Selection
  • ISE Internal CA
  • WLAN SSID Configuration
  • BYOD Portal
  • Policy Element Result
    • Authorization (Authorization Profile)
      • Native Supplicant Provisioning
      • Airspace ACL
    • Client Provisioning (Native Supplicant Profile)
  • Authentication Policy
  • Authorization Policy
  • Client Provisioning Policy
  • My Devices Portal (Lost and Stolen Device)
  • Blacklist Portal
Relevant Videos:


About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Hello LabMinutes team,

I have baought some of your great tuorial videos on ISE 1.3 and have, with the help of this material, been able to configure BYOD using the dual SSID model.
But now the management has an additional requirement:
currently all successfully authenticated AD users are able to access the BYOD portal and can register their devices. Management has asked if it would be possible to only allow AD users, which are member of a dedicated BYOD group, to add devices.

Can this be done ? Can you explain what needs to be changed in the dual SSID setup to accomplish this ?

Thank you very much for your kind help



Since anyone how has a valid AD account will be able to log into guest portal and initiate the onboarding process, you can configure AD user group as a condition under Client provisioning policy to prevent them from proceeding the client provisioning. As another layer of protection, you can also do the same for you Authorization policy to prevent unautorizted BYOD user from connecting to your network.

We are choosing the authentication method to a wireless that will grant access to the corporate network/internal LAN. The idea is that both, windows notebooks joined to the domain and mobile devices with mdm would be able to access. We would like to have just one authentication method applicable for both, notebooks and mobiles. The best option is to use eap-tls with windows AD CA certificates. The problem is that , since mobile devices cant join to a windows domain, they can't download the windows user certificates. Because of this, we are evaluating the option of using ISE as the certificates handler (using onboarding ssid, single or dual, is the same for us) but I can see that you say that is not possible/recommended to use this method for corporate devices. I consider that a corporate device is just a windows computer joined to the corporate domain.

So, in conclusion, the questions are:
1- Why using internal ise certificates with onboarding ssid is not applicable to corporate devices (windows notebooks joined to the corporate domain)? Is there a technical impediment?
2- Let's suppose that I use eap-tls with windows certificates for notebooks joined to the domain, what about mobile devices? Should I need to use another authentication method for them creating a separate single/dual ssid using ISE internal certificates or do you see it possible to , in some way, export the AD user certificate to the mobile device and use the same eap-tls that we use for windows notebooks?

Thank you very much.

Inernal CA is designed to be used with BYOD where each user is responsible for their own onboarding. This however does not prevent you from using it to issue cert to company asset but the limitation comes in where it might not be practical for you to onboard hundred or thousand devices individually. 

How the devices obtain certificate and how they connect to wireless SSID are two different things. You can have all of your Windows domain computers gets their cert issued by Enterprise CA via GPO, while mobile devices get their cert via MDM being integrated to some third-party cert provider. Regardless of how the devices get their cert, they can authenticate via EAP-TLS on the same SSID. You just need to configure ISE to trust all the CA that signed client certs.

Thanks for the answer,

We have Citrix XenMobile as MDM solution and I have been googling if it's possible to generate/import client auth. certifiates associated with the User Id to the Mobiles in order to then authenticate to a Wireless network using EAP-TLS but I couldn't find anything on that.
Have you ever heard of exporting the AD enterprise CA user certificates to mobile devices? Do you know if there is a tool to that that?
Addittionally, what do you think of using EAP-Fast for the corporate wireless? Is it an authentication protocol that can be used for both, windows notebooks and mobiles?

Thank you very much!

We have not seen such tool ourselves. The best bet may be checking if MDM can do SCEP off of an Microsoft CA, or if the MDM would integrate with 3rd party CA.

EAP-FAST is Cisco proprietary and to our knowledge is not availble on any native OS except AnyConnect NAM.