View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0278 - ISE 2.2 BYOD Wireless Onboarding with Dual SSID (Part 3)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0278 - Video Download $14.00
Purchase SEC0278 - Video Download $14.00
The video walks you through the entire process of wireless BYOD onboarding on Cisco ISE 2.2 using dual SSID. A user will be able to connect a personal devices and securely authenticate with AD credential to register the device with ISE. We will show different key web portals including MyDevices Portal where user can manage their BYOD devices. We will try a new condition in ISE 2.2 to allow Apple CNA to work with the BYOD dual-SSID method. The testing is performed on non-domain Windows computer, iOS device, and an Android. 
Part 3 of this video covers endpoint testing 
  • BYOD Workflow
  • Apple CNA
  • ISE Internal CA
  • Certificate Template
  • Endpoint Identity Group
  • Native Supplicant Profile
  • Client Provisioning Policy
  • MyDevices Portal
    • Lost and Stolen Device
  • Blacklist Portal
  • Sponsored Guest Portal
  • Authorization Profile
    • WLC Named ACL
  • Endpoint Purging

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Hi Metha. I've read from the CCNP SISAS book that in the enrollment process for BYOD two certificates are created: one for the machine and one for the user, but only the user's certificate is used for the authentication process via EAP-TLS. That maybe the reason you see two certificates for each device (two certificates for the Windows machine and two certificates for the iPAD). Greetings!!

If you check the ISE Internal CA issued cert page, you should only see one cert issued to everything except iOS that has two cert. We do not recall seeing machine cert on Windows from BYOD, only user cert. Do you experience this differently?

Hello Metha,
Have you seen where Windows prompts the user to select the certificate after on boarding? Is this normal or is there a work around. Seems to happen if more than one cert in their personal store that could be used for authentication.

We may had run into that in the past mostly on Macintosh, possibly Windows 7 but do not recall on Windows 10. We are not aware of a workaround as there is nothing that ties a cert to the client wireless profile. What happen if you try on a machine with no cert prior to onboarding, or another version of Windows? Do you still get prompt?