topic Re: ISE Policy to differentiate Windows and Apple in Network Access Control

ISE Policy to differentiate Windows and Apple

paul46 — Fri, 21 Feb 2020 18:38:43 GMT

Implementing wireless solution on ISE 2.3. Let me provide some details before I ask the question.

Want to authenticate windows machines using EAP-TLS via unique certificate. For all Apple iOS devices, want to authenticate via AirWatch. There will be two SSIDs - WiFiWindows and WiFiApple

For Windows

1. A corporate device connects to WiFiWindows and presents certificate

2. ISE validates certificates and provides corporate access

for Apple

1. An iOS device connects to WiFiApple

2. ISE makes an API call to MDM (AirWatch) and checks device's registration status

3. If device is registered, corporate certificates is installed on devices to get full corporate access

question

How to prevent Apple iOS devices to join WiFiWindows? In other words, windows and apple have same corporate certificate, but when Apple device joins WiFiWindows, access should be denied.

Re: ISE Policy to differentiate Windows and Apple

Mohammed al Baqari — Sun, 12 Nov 2017 11:03:58 GMT

In your authorization rule you can combine Airespace-WLAN-ID with Endpoint
Identity Group. For example in your WLC if your win-ssid is having id 1 and
you are profiling your windows endpoints in win-identity-group. In this
case you authorization rule should match Airespace-WLAN-ID=1 & Endpoint
Identity Group=win-identity-group

Re: ISE Policy to differentiate Windows and Apple

paul46 — Sun, 12 Nov 2017 22:34:15 GMT

Thanks Mohammed

Is there any solution without profiling?

Re: ISE Policy to differentiate Windows and Apple

Mohammed al Baqari — Mon, 13 Nov 2017 02:25:10 GMT

I an sure that you can match the oui portion of the radius
calling-station-id to detect apple device versus dell for example.

But detecting the os require profiling as its detected with snmp traps and
nmap scans

Re: ISE Policy to differentiate Windows and Apple

paul46 — Mon, 13 Nov 2017 02:27:50 GMT

Thank you Mohammed