Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
5
Helpful
3
Replies

BYOD Solution for MAC Randomized Endpoints

Go to solution
bassomarco1998
Level 1
Level 1

‎01-11-2024 02:08 AM

Hello everyone,
while studying the BYOD topic, I had a doubt regarding the certificate that ISE sends to the client. Specifically, I am referring to the MAC address contained in the SAN field. From the following video (link), I saw that there is a solution that involves removing the "MAC_in_SAN" condition from the authorization policy. However, from the previous video, I cannot understand the use of the GUID. I would expect that within the authorization policy, there would be a condition where the GUID of the client's certificate is compared with another field (similar to how the "MAC_in_SAN" condition compares the SAN with the RADIUS attribute "Calling_Station_Id"). In the video, it is mentioned that this GUID is managed through context visibility. Could you explain how this GUID is used in the authorization policy?
Thanks in advance.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-13-2024 10:56 AM - edited ‎01-13-2024 10:56 AM

@bassomarco1998 No, we do not generally use GUID to base an authorization condition.

ISE BYOD has no good means to tie a GUID to a client device, unlike the 3rd-party MDM vendors who have implemented ISE MDMv3 API and they are the source of the GUIDs so that ISE may use GUID to look up the client devices and check for compliance status.

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-11-2024 04:41 PM

For this particular ISE BYOD flow, the GUID is not used in AuthZ Policy. It is simply used in Context Visibility as a unique identifier for an endpoint that can present multiple different IP addresses due to the randomization.

Go to solution
bassomarco1998
Level 1
Level 1
In response to Greg Gibbs

‎01-12-2024 03:29 AM

Thank @Greg Gibbs for your response. Could you please tell me if it is correct to use the GUID within AuthZ policy in general? What benefits would be derived from it? How can it be implemented? If it is not recommended, could you explain the reasons?

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-13-2024 10:56 AM - edited ‎01-13-2024 10:56 AM

@bassomarco1998 No, we do not generally use GUID to base an authorization condition.

ISE BYOD has no good means to tie a GUID to a client device, unlike the 3rd-party MDM vendors who have implemented ISE MDMv3 API and they are the source of the GUIDs so that ISE may use GUID to look up the client devices and check for compliance status.

Customers Also Viewed These Support Documents