cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1464
Views
0
Helpful
6
Replies

Best policy for non 802.1x devices

Capricorn
Level 1
Level 1

Hi!

 

I know that MAB is not secure but at times you have to allow devices like android, amazon sticks so whats the best way or policy to give access to such devices?

 

Thanks

2 Accepted Solutions

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

View solution in original post

anthonylofreso
Level 4
Level 4

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

View solution in original post

6 Replies 6

howon
Cisco Employee
Cisco Employee

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

Thanks. I have to give access to these devices to some part of network due to project. Also so far I found that Meraki doesnt support dACL so I cannot implement ACL over that. I dont have firewall to filter traffic between the VLANs so I will see if I can setup some ACL on the SVI.

anthonylofreso
Level 4
Level 4

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

any example of DHCP you implmented?

I'm not sure what you mean... we use Windows DHCP.
if you setup ISE PSNs as helper IPs, then the DHCP parameters will be received by ISE.
Then also, on your profiling configuration, you would want to enable DHCP probe.

I have read about this while deploying 1.4 but right now I am thinking to have the MAC addresses of the devices and then create a identity group and just trigger my policy on it.

I am allowing the continue option on authentication if device mac address is not found in the data base.