IOS Recommended version for ISE deployment:

Cat 2K/3K 12.2.55.SE3

Cat 4K 12.2(53)SG5
Cat 6K 12.2(33)SXI7
WLC 7.0.116.0

#################################################
//WEB AUTH Config
1. switch Config
- add ACL-WEBAUTH-REDIRECT for redirection
- check radius aaa auth-proxy and accounting
- check http(s) server activation
2. WLC config
- Security - Access Control Lists - create ACL-WEBAUTH-REDIRECT for redirection
- create dACL to be applied for clients (ACL-Guest)
- WLANs - Guest VLAN
- Advanced
- set AAA Overwrite
- NAC State - None (?? - check it's meaning)
- Security
- Layer3 - WebPolicy - Authentication
- WebAuth type - external - ISE Guest URL
- PreAuth ACL
- Overwrite global config
- AAA Servers
- Auth priority Order for WebAuth with Radius at the top

#################################################
BYOD
- necessary:
- have to provision native supplicants
- have to have CA to generate certif
- BYOD certifcate contains info about username and device (mac address)
- each user does self-registration
- can do blacklist of stolen or lost devices
- by default each user can registrate 5 devices

BYOD = wireless
- usally you use 2 SSIDs
1 secure SSID - only for employees
- provision = PEAP (username and client)
- actual connection = EAP_TLS (with generated device cert)
2 SSID - employee & guest (preferred)

- 1st SSID for provisioning - open SSID - login as guest or employee to provisio
n devices
- secured - my devices portal uses https
- 2nd SSID (can be hidden) for device itself after is has been provisioned with
the TLS-EAP method using certifs