View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0278 - ISE 2.2 BYOD Wireless Onboarding with Dual SSID (Part 3)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0278 - Video Download $14.00
Purchase SEC0278 - Video Download $14.00
The video walks you through the entire process of wireless BYOD onboarding on Cisco ISE 2.2 using dual SSID. A user will be able to connect a personal devices and securely authenticate with AD credential to register the device with ISE. We will show different key web portals including MyDevices Portal where user can manage their BYOD devices. We will try a new condition in ISE 2.2 to allow Apple CNA to work with the BYOD dual-SSID method. The testing is performed on non-domain Windows computer, iOS device, and an Android. 
Part 3 of this video covers endpoint testing 
  • BYOD Workflow
  • Apple CNA
  • ISE Internal CA
  • Certificate Template
  • Endpoint Identity Group
  • Native Supplicant Profile
  • Client Provisioning Policy
  • MyDevices Portal
    • Lost and Stolen Device
  • Blacklist Portal
  • Sponsored Guest Portal
  • Authorization Profile
    • WLC Named ACL
  • Endpoint Purging

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new technologies.


Hi Metha. I've read from the CCNP SISAS book that in the enrollment process for BYOD two certificates are created: one for the machine and one for the user, but only the user's certificate is used for the authentication process via EAP-TLS. That maybe the reason you see two certificates for each device (two certificates for the Windows machine and two certificates for the iPAD). Greetings!!

If you check the ISE Internal CA issued cert page, you should only see one cert issued to everything except iOS that has two cert. We do not recall seeing machine cert on Windows from BYOD, only user cert. Do you experience this differently?

Hello Metha,
Have you seen where Windows prompts the user to select the certificate after on boarding? Is this normal or is there a work around. Seems to happen if more than one cert in their personal store that could be used for authentication.

We may had run into that in the past mostly on Macintosh, possibly Windows 7 but do not recall on Windows 10. We are not aware of a workaround as there is nothing that ties a cert to the client wireless profile. What happen if you try on a machine with no cert prior to onboarding, or another version of Windows? Do you still get prompt?

This is a great tutorial, working based on this to implement this solution.
But there is something that bothers me.
If we enable AD credential usage on the guest ssid, is that secure?
Its quite easy these days to guess someones AD username and constantly try to log in.
Will this lock the account?

This can create major problems if users from exterior can that simply lock AD accounts!

What do you think about this? Or it is not the case.


Interesting thought. We have not tested if failed wifi authentications can cause an AD user account to be locked. If it is the case, you will most likely have the same problem even on corporate SSID. If you have tested this, feel free to share the result.