Authorization Rule 1: BYOD Onboarding and Portal – this rule is used for single-SSID onboarding. It provides authorization when the method of access is wireless_802.1X and the authentication method is EAP-MSCHAPv2. The result is that the user is redirected to the BYOD portal to onboard the device.
Once the onboarding is done, Cisco ISE sends a CoA and the endpoint will reauthenticate again using the certificate (EAP-TLS), this second authentication and authorization is handled by Rule 3 which provides full access.
Authorization Rule 2: Guest Redirect– this rule is used for dual-SSID onboarding (also it’s used for guest access).
With the option ” Allow employees to use personal devices on the network” enabled on the Guest Portal, this rule redirect employees to the guest portal through a Guest SSID, authenticate them against the Active Directory.
Once the authentication is successful, the endpoint is redirected to the BYOD portal for onboarding.
Once the onboarding is complete, Cisco USE sends a CoA, the endpoint will reauthenticate again using the certificate (EAP-TLS), this second authentication and authorization is handled by Rule 3 which provide full access.
Authorization Rule 3: BYOD Certificate EAP-TLS – this rule is applied after the onboarding is complete through the rule 1 and the rule 2 to provide full access.
To provide final and full access, Cisco ISE verifies the following informations:
· Does the Access Method is Wireless_802.1X?
· Does the BYOD Registration is completed by looking the endpoint object in ISE’s database
with the BYOD registered flag enabled?
· Does the endpoint use the EAP-TLS?
· Does the MAC Address of the endpoint is present in the SAN of the client certificate?