topic Re: Wifi access depending on Endpoint name in Network Access Control

Wifi access depending on Endpoint name

Daniel-Clark — Fri, 15 Aug 2025 11:03:04 GMT

Hi all.

Im sure this will be a simple one to answer. Using ISE 3.2 to authenticate users on wifi. Setting up a new policy for iphones/ipads for corporate users. We want them to not be able to connect to this SSID with a personal device. We will be using 802.1x, with AD authetication so users log in with their own credentials, and this is all working fine.

Trying to add an additional condition of saying "Only allow the user to connect if their iphone name contains XXX" but cant seem to be able to do this. We have everything else setup in terms of certificates (The devices auto trust the certificate so a bit pointless!), usernames etc but you can connect personal phones to the SSID and want to limit this to only our corporate devices

Any help and advice gratefully received

Re: Wifi access depending on Endpoint name

Rob Ingram — Fri, 15 Aug 2025 11:46:09 GMT

@Daniel-Clark perhaps use Username CONTAINS XXX in an authorisation policy rule, i.e., -

Or if using username/password, match on the AD group the devices are a member of.

Or perhaps there is another unique attribute in the user's account attribute/certificate that can distinguish between the devices?

Re: Wifi access depending on Endpoint name

MHM Cisco World — Fri, 15 Aug 2025 10:59:42 GMT

if you use WLC 9800 then try use iPSK
MHM

Re: Wifi access depending on Endpoint name

MHM Cisco World — Fri, 15 Aug 2025 11:04:52 GMT

if you dont use WLC 9800
try add phone username/password to different internal identity store
then in Authz match this internal identity
MHM

Re: Wifi access depending on Endpoint name

Torbjørn — Fri, 15 Aug 2025 12:31:03 GMT

Hello @Daniel-Clark ,

I think the best way to solve this is to authenticate corporate devices by machine certificate pushed from MDM/through group policy. This is a far stronger method of authentication than authenticating by device name + AD credentials. See the following configuration guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

Re: Wifi access depending on Endpoint name

Dustin Anderson — Fri, 15 Aug 2025 13:21:28 GMT

So, for what you want to do, I really don't know of a way other than what Torbjørn mentioned and use an MDM.

I'm not sure the scale you are on, so there are some things you could do, but a lot of manual work. Such as making a group of just the MAC addresses of the devices, but with random MAC and such can be a pain.

Couple questions to ask before making it a lot of work for yourself. Do these iPhones/iPads get internal access, and if so why? and if they don't, then do you care if they connect a personal device?

I was looking through mine and even though you can get profiling with DHCP, I can't find the device name picked up. So I don't see anything for an option by device name.