topic Re: Access policy for MyDevices Portal in Endpoint Security

Access policy for MyDevices Portal

vigogne — Wed, 24 Mar 2021 05:59:00 GMT

Tell me please. Is it is possible to create an access policy for the MyDevices portal to allow access only to a certain group in AD?
At the moment, I have done this way:

In the Identity Source Sequences at MyDevice_Portal_Sequence I left "Internal Users" Identity Source only. Then I added the Network Access User with the same name as in the AD Database and password type as AD Sequence.

It works, but it is very inconvenient and not flexible.

And second question. How can I modify MyDevices Portal for add in standard form combo-box with selecting endpoint group?

Re: Access policy for MyDevices Portal

ppreenja — Fri, 26 Mar 2021 05:14:37 GMT

Hi,

You can post your query in the below community channel:

https://community.cisco.com/t5/network-access-control/bd-p/discussions-network-access-control

Cheers,

Pratham

Re: Access policy for MyDevices Portal

vigogne — Fri, 26 Mar 2021 05:46:25 GMT

Thank you! Perhaps this is what I will do )

Re: Access policy for MyDevices Portal

Arne Bier — Mon, 12 Jul 2021 05:30:54 GMT

Hi @vigogne and @ppreenja

I have not scanned the Community questions in a little while and this one passed me by. But I have a solution for you. Did you find a solution in the end?

It so happens that I saw this work in a customer and it's quite unbelievable.

The trick is to tell the MyDevices Portal to NOT use AD or ISE Local users as the Authentication source, but use ISE Loopback addresses instead. WHAT? ISE has loopback addresses as an Identity Source? No, not by default, but this is where the hack starts.

Create a Loopback by defining ISE as a "RADIUS Token Server" - you're telling ISE that there is a token server (which is itself … max up to 2 servers can be defined.

The RADIUS shared secret must be the same as the shared secret mentioned further below … it's not used anywhere else other than here (in the token server definition) and later on, in the ISE NAD definition.

Then use that ISE Loopback definition to modify the standard My Devices Sequence

Hilarious isn't it 🙂 You have to create RADIUS Clients (NAD) definitions for each of the token servers (which in production would be most likely dedicated PSN nodes) - create a new Device TYPE called ISE_MyDevicesPortal (or whatever) and then use the same RADIUS shared secret as used before in the Token server definition.

I have some screenshots but they are taken from a customer setup -I have not sanitised them for this Community - but I think you should be ok with the information above.

The bottom line is that with this hack, The My Devices Portal will cause ISE to make RADIUS requests to ITSELF and you can catch these requests in the standard Policy Set.

Let me know how you get on

Re: Access policy for MyDevices Portal

vigogne — Mon, 12 Jul 2021 06:22:10 GMT

Oh, thank you very much!

I have already been prompted for a similar solution.

https://community.cisco.com/t5/security-documents/ise-sponsor-amp-my-devices-authorization-on-secondary-attributes/ta-p/3641379

This solution is really from the category of hacking skill )) But it works!

Re: Access policy for MyDevices Portal

spartan78 — Wed, 06 Aug 2025 20:13:28 GMT

Hello

I had question, I can get this solution to work in 3.4 however it is saying PAP not allowed, is there a way to change the auth type for my device portal to something more secure?