topic Re: cisco ise in Network Access Control

cisco ise

bluesea2010 — Thu, 07 Jul 2022 08:30:02 GMT

Hi,

I have cisco ise base license , and one ssid with dot1x authentication.

If anyone use corporate device ,I want put them in vlan 10 if not I want put them guest vlan or just give them internet access

or just give them the privilege's of guest users

Thanks

Re: cisco ise

balaji.bandi — Thu, 07 Jul 2022 10:43:50 GMT

look at the guide below you may help you :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html

Re: cisco ise

bluesea2010 — Thu, 07 Jul 2022 10:58:01 GMT

Hi,

The above is dynamic acl ,this will not help

Re: cisco ise

Aref Alsouqi — Thu, 07 Jul 2022 11:16:32 GMT

You can achieve that by configuring a specific authorization rule that will match the corp devices traffic, where you will also have an authorization profile associated to that rule which in turn will have the VLAN10 configured. For the devices that won't match the corp rule you can rely on the default authorization rule and associate an authorization profile where you have the guest VLAN defined. Alternatively, you can create a custom rule that would match those personal devices and place them into the guest VLAN, however, this won't be an easy one as you wouldn't know all the device types and attributes of those personal devices to make a 100% match. If you want to be more specific in what to allow and deny for the personal device then you can define an dACL and configure it in the authorization profile that would be then associated to the personal devices authorization rule. Regarding the way to deal with the dACLs in this case it depends on what WLC you have, if you have an old one then the dACL should be created on the WLC and referenced in ISE authorization profile in the airespace ACL name section. However, if you have the 9800 WLC then you can define the ACL on ISE itself in the same way you do this for the switches.

Re: cisco ise

thomas — Fri, 08 Jul 2022 22:15:35 GMT

"Corporate Device" implies the use of a digital certificate for authentication to identify it as a managed endpoint.

Are your corporate endpoints provisioned with wired or wireless network profiles to use a digital certificate for authentication with 802.1X or a specific SSID?

If not, you will need an MDM or other computer management tool to configure it (SCCM, etc).

You may configure the Guest VLAN as the default VLAN on a switch. See .

For wireless, you should be using a totally separate Guest SSID to clearly indicate guest services. See .

Re: cisco ise

bluesea2010 — Fri, 15 Jul 2022 10:13:59 GMT

Hi,

You mean to use EAP-TLS (certificate based authentication ) for corporate devices ,In that case how to do byod devices ?

Thanks

Re: cisco ise

ahollifield — Fri, 15 Jul 2022 14:12:43 GMT

MDM >>>> BYOD