**This video builds on top of the previous video of BYOD with Device Registration and Native Supplicant Provisioning. So please be sure to watch it for configuring the certificate templates and some of the SSID configuration. **
In this video we configure ISE and wireless with a single SSID for WPA2-Enterprise to perform device registration and EAP-TLS provisioning.
Hey Alex – Thanks for the great video!
One challenge I am interested in fixing for a site of mine is reducing SSID counts. At this one property we have a SSID for Guest, Chromecast, Thermostats, POS, hotel admin traffic and then building management traffic. A nightmare SSID wise to say the least. My thought is that we should be able to get away with two SSIDs – one an unencrypted Guest / Option On boarding SSID, and then a secure SSID allowing EAP-MSCHAPv2 and EAP-TLS. Would this be possible with ISE/Meraki integration? I.e. On the Guest/On boarding SSID they would be able to either authenticate as a guest and get a group policy just allowing them online, or they could select the on boarding option and go through the certificate/profile downloading method to get on the secure — possibly even allowing guests to connect this way as well, but most certainly allowing for admin/pos devices using Meraki Group Policies to drive users to different vlans and security settings based on their authentication method, system (pos vs admin, etc…) and device type.
Thanks!
Alex J
Thanks for watching! You can absolutely combine guest web-auth with byod onboarding. This can be done by allowing employees to register devices and then building out some rules afterwards for those registered devices. I don’t see any issue with this design. I a lot of times like to have the SSIDs split out however to make sure there is less potential user error. While us network engineer folk may perfectly understand what is required the standard user is usually baffled. I would also recommend if you go this route to provide a step by step onboarding guide to make employees fully understand what they need to do without calling into the helpdesk. Good luck!