https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798652#M485294 <P>You can configure machine authentication.&nbsp; BYOD device will not be part to domain computers so with machine authentication you can differentiate between personal and corporate devices.</P> Sun, 10 Feb 2019 12:32:33 GMT pan 2019-02-10T12:32:33Z https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798580#M485290 <P>Hello,</P> <P>&nbsp;</P> <P>I'm trying&nbsp;configure a single SSID where both Corporate Laptops and BYOD Laptops can connect, BYOD devices will be non-domain joined, but users will have an AD account. Corporate Laptops will use PEAP-MSCHAPv2 and BYOD Laptops will use PEAP to authenticate. I wanted to dynamically place BYOD devices on separate VLAN to have restricted access compared to Corporate Laptop. What would be the best way to achieve this using ISE</P> <P>&nbsp;</P> <P>Thanks</P> Sun, 10 Feb 2019 05:23:02 GMT https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798580#M485290 wick54namal 2019-02-10T05:23:02Z https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798652#M485294 <P>You can configure machine authentication.&nbsp; BYOD device will not be part to domain computers so with machine authentication you can differentiate between personal and corporate devices.</P> Sun, 10 Feb 2019 12:32:33 GMT https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798652#M485294 pan 2019-02-10T12:32:33Z https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798691#M485298 <P>This is a common setup and using PEAP computer for corporate devices and PEAP user for the BYOD mobile devices with a VLAN move will work.&nbsp; The only thing to watch out for is account lockout issues.&nbsp; When AD account passwords change the users forget they have it programmed into their BYOD mobile devices and their accounts will get locked.</P> Sun, 10 Feb 2019 15:45:09 GMT https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3798691#M485298 paul 2019-02-10T15:45:09Z https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3802087#M485300 <P>You have several options to accomplish your requirement.&nbsp; Here are a few ideas that&nbsp;will assist you:</P><P>Setup separate global policies with different allowed protocol profiles and build policies separately this way;</P><P>Use the same global policy that allows both desired protocols, but configure several authorization policies.&nbsp; For example, for domain joined members you could setup conditions that match specific identity groups in AD that your objects are a part of.&nbsp; Then based on the condition match you assign your result that assigns them to their respective vlan.&nbsp; Then at the bottom you have your default rule for BYOD that are non-domain members that assigns them to a different vlan and possibly even throws a dacl out;</P><P>Another option you could look into is potentially using client provisioning for the BYOD devices. However, this introduces quite a few things from a configuration standpoint.&nbsp; You could even potentially use ISE posture assessment to perform some sort of security check requirements prior to giving these BYOD devices access even to your restricted vlan.</P><P>&nbsp;</P><P>HTH!</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Feb 2019 17:46:37 GMT https://community.cisco.com/t5/network-access-control/ise-dynamic-vlan-assignment-based-on-auth-type/m-p/3802087#M485300 Mike.Cifelli 2019-02-14T17:46:37Z