https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457635#M530574 <HTML><HEAD></HEAD><BODY><P>ISE can’t control the app usage time, like Hsing said that would be MDM possibly.</P><P></P><P>But we can control access to the resources in the network. Either by time in the authz rules or location (with MSE 8 integration). You could assign a tag to the permissions and restrict using WSA policy what internet sites. This tag could also restrict at the datacenter as well. This would be SGT (trustsec) tagging</P><P></P><P>This could also be done with ACL or VLAN on the internal networks.</P></BODY></HTML> Fri, 24 Mar 2017 20:46:06 GMT Jason Kunst 2017-03-24T20:46:06Z https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457632#M530571 <HTML><HEAD></HEAD><BODY><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">For Customer RFP response - A customer would like to authenticate wireless users - which may be on laptops or smart devices (ipad/iphone and similar) and apply an AVC profile to a flexconnect wireless client.</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">But for certain times of the day, then restrict the users only to certain applications.</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">The example being schools.</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">During lesson time they want to allow to application for classroom use and block internet, but during breaks, potentially allow internet and other applications, but then restrict when back in class sessions again.</P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">Is there an easy method within ISE to achieve this?</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">If you authenticate and have AAA override with AVC profiles pushed to clients, then would you need to force a re-auth, in-order for any new avc profiles to be pushed for different times of day?</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">Or, would you need to have a constant posture assessment on to evaluate client devices an allow apps?</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">Or, could you allow applications on a per location basis - therefore, if in classroom, allow app's x,y,z or if not in classroom allow apps a,b,c ? - assume you would need pretty good location capability for this?</P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">open to any suggestions of a good approach.</P><P></P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">Many thanks,</P><P style="font-size: 15px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #58585b;">Jason</P></BODY></HTML> Fri, 24 Mar 2017 20:31:00 GMT https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457632#M530571 Jason Tyler 2017-03-24T20:31:00Z https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457633#M530572 <HTML><HEAD></HEAD><BODY><P>Are the applications actual apps on the device or are they applications they access in the internal environment?</P><P></P><P>Meaning if we blocked internet in the network (using authz rules) and allowed internal site access while in the classroom would this work?</P><P></P><P>Or they want to restrict actual apps from usage on the Mobile devices?</P></BODY></HTML> Fri, 24 Mar 2017 20:34:08 GMT https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457633#M530572 Jason Kunst 2017-03-24T20:34:08Z https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457634#M530573 <HTML><HEAD></HEAD><BODY><P>I believe that there could be a combination of both.</P><P></P><P>So, for example, they may wish to block youtube, for example, during lesson time, but allow during breaks.</P><P>But also, allow access to apps on the devices themselves whilst in class, but not when during break.</P><P></P><P>Apologies I cannot give you more information as yet, as this was a very quick question during an RFP conversation.</P><P></P><P>Many thanks</P></BODY></HTML> Fri, 24 Mar 2017 20:38:44 GMT https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457634#M530573 Jason Tyler 2017-03-24T20:38:44Z https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457635#M530574 <HTML><HEAD></HEAD><BODY><P>ISE can’t control the app usage time, like Hsing said that would be MDM possibly.</P><P></P><P>But we can control access to the resources in the network. Either by time in the authz rules or location (with MSE 8 integration). You could assign a tag to the permissions and restrict using WSA policy what internet sites. This tag could also restrict at the datacenter as well. This would be SGT (trustsec) tagging</P><P></P><P>This could also be done with ACL or VLAN on the internal networks.</P></BODY></HTML> Fri, 24 Mar 2017 20:46:06 GMT https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457635#M530574 Jason Kunst 2017-03-24T20:46:06Z https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457636#M530575 <HTML><HEAD></HEAD><BODY><P>No Problems Jason, this is as i suspected, but just wanted to confirm.</P><P></P><P>Many thanks,</P><P>j</P></BODY></HTML> Fri, 24 Mar 2017 20:51:49 GMT https://community.cisco.com/t5/network-access-control/time-of-day-per-user-application-restriction/m-p/3457636#M530575 Jason Tyler 2017-03-24T20:51:49Z