
BYOD Overview
When BYOD (Bring Your Own Device) users are corporate users who will use their personal devices on the company’s network, this introduces both flexibility and challenges for IT security and network management. Here’s an expanded look at what BYOD entails for corporate users, the benefits and challenges, and how Cisco ISE can help facilitate this securely and efficiently.
Overview of BYOD for Corporate Users
BYOD refers to the policy allowing employees (corporate users) to use their personal devices—such as smartphones, tablets, laptops, or other mobile devices—to access corporate resources and perform work-related tasks on the company’s network.
This approach offers greater flexibility and productivity but also introduces significant security concerns. A well-implemented BYOD strategy involves balancing enabling access and maintaining strict security controls, especially since the company does not directly manage these devices.
Key Elements of BYOD for Corporate Users
1. Device Onboarding
- What is Onboarding? Onboarding refers to securely enrolling the employee’s personal device into the corporate network so that the user can access network resources (e.g., email, corporate apps, shared files).
- How is Onboarding Managed?
- Corporate users typically log in to a self-service portal and authenticate (usually via corporate credentials, such as AD/LDAP or MFA).
- Cisco ISE can facilitate device profiling to identify the type of device, operating system, and security posture.
- During onboarding, a device health check is performed, and necessary network configurations (like Wi-Fi settings and security profiles) are automatically pushed to the device.
2. Authentication and Authorization
- Corporate users need to authenticate their personal devices before they can access company resources.
- Cisco ISE typically uses certificate-based authentication (e.g., EAP-TLS), which involves issuing a digital certificate to the personal device during onboarding.
- Authorization policies ensure users have access only to the resources they need based on their role in the organization, the device they are using, and its compliance with security standards (e.g., if the device is up to date with patches, antivirus, etc.).
3. Security Policies and Enforcement
- Network Access Control (NAC) ensures that devices meet the organization’s security policies before being allowed access to the network.
- Cisco ISE can enforce policies such as requiring encryption, up-to-date operating systems, or specific device configurations (e.g., VPN, firewall, or password policies).
- If a personal device does not meet the security requirements, it can be assigned limited network access (quarantine VLAN) until it complies.
Windows – Non-approved BYOD user

Windows – approved BYOD user.

Review the ISE logs




Verify that Cisco ISE (Certificate Authority) issued a certificate.


Verify that the user is “anchored” into the DMZ after successfully onboarding.
Internal (Foreign) WLC



DMZ (Anchor) WLC



Verify that the client received a certificate on their personal device and can access the internet.
Certificate.
User IP address

Most importantly – verify that the user CANNOT access internal resources.



