https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289937#M108090 <HTML><HEAD></HEAD><BODY><P>Yeah you have to deploy certificate to authenticate devices and user&nbsp; with non-exportable private key. That is the only way by which you can&nbsp; achieve your goal.</P></BODY></HTML> Mon, 26 Aug 2013 03:10:44 GMT Ravi Singh 2013-08-26T03:10:44Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289935#M108086 <P>I am trying to determine if there is a way to limit the number of logins. Basically, the requirement is to allow a user X number of concurrent logins, but restrict those logins to the first X machines they log into.&nbsp; The requirement is to prevent users from passing their credentials around to other unauthorized users.</P> Mon, 11 Mar 2019 03:48:33 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289935#M108086 MMstre 2019-03-11T03:48:33Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289936#M108088 <HTML><HEAD></HEAD><BODY><P>Michael,</P><P></P><P>You can only restrict guests to one concurrent login of 1 or unlimited. However if you have a list of all mac addresses, you can import them into ise and statically assign them to a endpoint group, from there you can combine a policy that only allows users to connect with a device that you assigned to an endpoint group with a valid AD account.</P><P></P><P>However your best bet is to deploy certificates if you run in an AD environment where all devices are joined to the domain, it is very simple to use group policies to deploy certificates which you can make the private keys not exportable. Then you can switch your authentication policy so that certs are used instead of passwords.</P><P></P><P>Let me know if you run all users in AD or if you would like some info on certificate enrollment</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Sun, 25 Aug 2013 07:06:59 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289936#M108088 Tarik Admani 2013-08-25T07:06:59Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289937#M108090 <HTML><HEAD></HEAD><BODY><P>Yeah you have to deploy certificate to authenticate devices and user&nbsp; with non-exportable private key. That is the only way by which you can&nbsp; achieve your goal.</P></BODY></HTML> Mon, 26 Aug 2013 03:10:44 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289937#M108090 Ravi Singh 2013-08-26T03:10:44Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289938#M108093 <HTML><HEAD></HEAD><BODY><P>ISE-1.1 version does not support the limits on concurrent logins but ISE 1.2 support this function.</P><P>Release Notes for Cisco Identity Services Engine, Release 1.2</P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html">http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html</A></P></BODY></HTML> Tue, 27 Aug 2013 17:11:45 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289938#M108093 aqjaved 2013-08-27T17:11:45Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289939#M108111 <HTML><HEAD></HEAD><BODY><P>Aqeel,</P><P></P><P>It was my understanding the ISE 1.2 only allows this feature for guests</P><P></P><P>thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 27 Aug 2013 17:17:59 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289939#M108111 Tarik Admani 2013-08-27T17:17:59Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289940#M108138 <HTML><HEAD></HEAD><BODY><P> Please find the attached solution.<IMG src="http://supportforums.cisco.com/sites/default/files/legacy/3/4/9/152943-111.jpg" class="jive-image" /></P></BODY></HTML> Tue, 27 Aug 2013 19:13:46 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289940#M108138 blenka 2013-08-27T19:13:46Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289941#M108206 <HTML><HEAD></HEAD><BODY><P>Guys,</P><P></P><P>The initial question is around dot1x authentication. Please take some time to understand the question above. This has nothing to do with Administrative access nor does it involve guests.</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 27 Aug 2013 19:33:14 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289941#M108206 Tarik Admani 2013-08-27T19:33:14Z https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289942#M108227 <HTML><HEAD></HEAD><BODY><P> Hi Tarik,</P><P></P><P>Thanks for the suggestions.&nbsp; However, at this time, the deployment is going to be a live pilot (I know, dangerous move lol), but its what is going to convince the customer of ISE's features.</P><P>Cert services isn't an option at this time, due to time constraints and the environment this is being rolled out to.</P><P>it's basically a trade show and they are allowing all invitees to use their network, but cant deploy certs, or expect the invitees to be able to install them. Apparently, these guests have been known to pass around credentials and this is what they are trying to prevent.</P><P>I have locked them down to 3 concurrent connections, but i am not sure if that will do the trick.</P><P>Thoughts?</P><P></P><P>thanks again for you reply</P></BODY></HTML> Tue, 27 Aug 2013 20:10:39 GMT https://community.cisco.com/t5/network-access-control/ise-lock-accounts-to-machines/m-p/2289942#M108227 MMstre 2013-08-27T20:10:39Z