cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

167
Views
0
Helpful
6
Replies
Beginner

Best policy for non 802.1x devices

Hi!

 

I know that MAB is not secure but at times you have to allow devices like android, amazon sticks so whats the best way or policy to give access to such devices?

 

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Best policy for non 802.1x devices

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

Enthusiast

Re: Best policy for non 802.1x devices

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

6 REPLIES 6
Cisco Employee

Re: Best policy for non 802.1x devices

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

Highlighted
Beginner

Re: Best policy for non 802.1x devices

Thanks. I have to give access to these devices to some part of network due to project. Also so far I found that Meraki doesnt support dACL so I cannot implement ACL over that. I dont have firewall to filter traffic between the VLANs so I will see if I can setup some ACL on the SVI.
Enthusiast

Re: Best policy for non 802.1x devices

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

Beginner

Re: Best policy for non 802.1x devices

any example of DHCP you implmented?
Enthusiast

Re: Best policy for non 802.1x devices

I'm not sure what you mean... we use Windows DHCP.
if you setup ISE PSNs as helper IPs, then the DHCP parameters will be received by ISE.
Then also, on your profiling configuration, you would want to enable DHCP probe.
Beginner

Re: Best policy for non 802.1x devices

I have read about this while deploying 1.4 but right now I am thinking to have the MAC addresses of the devices and then create a identity group and just trigger my policy on it.

I am allowing the continue option on authentication if device mac address is not found in the data base.