cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

452
Views
0
Helpful
6
Replies
Capricorn
Beginner

Best policy for non 802.1x devices

Hi!

 

I know that MAB is not secure but at times you have to allow devices like android, amazon sticks so whats the best way or policy to give access to such devices?

 

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
howon
Cisco Employee

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

View solution in original post

anthonylofreso
Enthusiast

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

View solution in original post

6 REPLIES 6
howon
Cisco Employee

Depends on the customer policy, but typically customers assign Internet only access for devices that they cannot control or manage.

View solution in original post

Thanks. I have to give access to these devices to some part of network due to project. Also so far I found that Meraki doesnt support dACL so I cannot implement ACL over that. I dont have firewall to filter traffic between the VLANs so I will see if I can setup some ACL on the SVI.
anthonylofreso
Enthusiast

I'm not sure what the 'best' is, but I typically just write my policies so that two conditions must be met. Perhaps:

  • Endpoint exists in identity group + these specific DHCP parameters

This can be difficult if you have devices that use static IPs instead. I've found, that DHCP is your friend with ISE. You could probably also use the Custom Attributes field within the endpoint properties, though I have not tried this.

Ideally, Anomalous Behavior detection would help here, but that feature seems so half baked to me, that I would never use it current state.

View solution in original post

any example of DHCP you implmented?

I'm not sure what you mean... we use Windows DHCP.
if you setup ISE PSNs as helper IPs, then the DHCP parameters will be received by ISE.
Then also, on your profiling configuration, you would want to enable DHCP probe.

I have read about this while deploying 1.4 but right now I am thinking to have the MAC addresses of the devices and then create a identity group and just trigger my policy on it.

I am allowing the continue option on authentication if device mac address is not found in the data base.
Content for Community-Ad