Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1028
Views
0
Helpful
6
Replies

Best policy for non 802.1x devices

Go to solution
Capricorn
Level 1
Level 1

‎10-17-2018 07:15 AM

Hi!

 

I know that MAB is not secure but at times you have to allow devices like android, amazon sticks so whats the best way or policy to give access to such devices?

 

Thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-17-2018 07:26 AM

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

View solution in original post

0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4

‎10-17-2018 07:29 AM

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-17-2018 07:26 AM

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

0 Helpful

Go to solution
Capricorn
Level 1
Level 1
In response to howon

‎10-17-2018 12:29 PM

Thanks. I have to give access to these devices to some part of network due to project. Also so far I found that Meraki doesnt support dACL so I cannot implement ACL over that. I dont have firewall to filter traffic between the VLANs so I will see if I can setup some ACL on the SVI.
0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4

‎10-17-2018 07:29 AM

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

0 Helpful

Go to solution
Capricorn
Level 1
Level 1
In response to anthonylofreso

‎10-17-2018 12:29 PM

any example of DHCP you implmented?
0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4
In response to Capricorn

‎10-17-2018 12:40 PM

I'm not sure what you mean... we use Windows DHCP.
if you setup ISE PSNs as helper IPs, then the DHCP parameters will be received by ISE.
Then also, on your profiling configuration, you would want to enable DHCP probe.
0 Helpful

Go to solution
Capricorn
Level 1
Level 1
In response to anthonylofreso

‎10-18-2018 12:46 PM

I have read about this while deploying 1.4 but right now I am thinking to have the MAC addresses of the devices and then create a identity group and just trigger my policy on it.

I am allowing the continue option on authentication if device mac address is not found in the data base.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents