Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

452
Views
0
Helpful
6
Replies
Capricorn
Beginner
Beginner
‎10-17-2018 07:15 AM
‎10-17-2018 07:15 AM

Best policy for non 802.1x devices

Hi!

 

I know that MAB is not secure but at times you have to allow devices like android, amazon sticks so whats the best way or policy to give access to such devices?

 

Thanks

0 Helpful
2 ACCEPTED SOLUTIONS

Accepted Solutions
howon
Cisco Employee
Cisco Employee
‎10-17-2018 07:26 AM
‎10-17-2018 07:26 AM

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

View solution in original post

0 Helpful
anthonylofreso
Enthusiast
Enthusiast
‎10-17-2018 07:29 AM
‎10-17-2018 07:29 AM

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

View solution in original post

0 Helpful
6 REPLIES 6
howon
Cisco Employee
Cisco Employee
‎10-17-2018 07:26 AM
‎10-17-2018 07:26 AM

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

View solution in original post

0 Helpful
Capricorn
Beginner
Beginner
In response to howon
‎10-17-2018 12:29 PM
‎10-17-2018 12:29 PM

Thanks. I have to give access to these devices to some part of network due to project. Also so far I found that Meraki doesnt support dACL so I cannot implement ACL over that. I dont have firewall to filter traffic between the VLANs so I will see if I can setup some ACL on the SVI.
0 Helpful
anthonylofreso
Enthusiast
Enthusiast
‎10-17-2018 07:29 AM
‎10-17-2018 07:29 AM

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

View solution in original post

0 Helpful
Capricorn
Beginner
Beginner
In response to anthonylofreso
‎10-17-2018 12:29 PM
‎10-17-2018 12:29 PM

any example of DHCP you implmented?
0 Helpful
anthonylofreso
Enthusiast
Enthusiast
In response to Capricorn
‎10-17-2018 12:40 PM
‎10-17-2018 12:40 PM

I'm not sure what you mean... we use Windows DHCP.
if you setup ISE PSNs as helper IPs, then the DHCP parameters will be received by ISE.
Then also, on your profiling configuration, you would want to enable DHCP probe.
0 Helpful
Capricorn
Beginner
Beginner
In response to anthonylofreso
‎10-18-2018 12:46 PM
‎10-18-2018 12:46 PM

I have read about this while deploying 1.4 but right now I am thinking to have the MAC addresses of the devices and then create a identity group and just trigger my policy on it.

I am allowing the continue option on authentication if device mac address is not found in the data base.
0 Helpful
Latest Contents
Cisco and Radware - Securing your digital future
Created by Kelli Glass on 04-21-2021 05:16 PM
0
0
0
0
  Application Protection, Availability & Security Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business. Lear... view more
Cisco Wants your Feedback on the Secure Firewall Management ...
Created by caiharve on 04-21-2021 04:36 PM
0
0
0
0
Review the Cisco Secure Firewall Management Center (formally named "Firepower Management Center") on TrustRadius and receive a $25 gift card!     
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
Content for Community-Ad