cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1391
Views
0
Helpful
3
Replies

Cisco BYOD device limitation per user group

Alitay1983
Level 1
Level 1

Cisco ISE can limit the employee registered device to a number between 0 and 100.

Does ISE support employee registered devices limitation per group of users.

ex: users belonging to Active directory group IT Users are allowed 3 device while marketing users are allowed one device only ?

2 Accepted Solutions

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

Nope. I do not think there is a way to do AD group based device limit, its just a global limit. It was documented in this post on the Cisco community:

https://communities.cisco.com/community/technology/security/blog/2016/02/05/ise-my-devices-portal-operational-details

View solution in original post

Ok, tha'ts tricky. But you could try this. Have a single authentication policy for Wireless 802.1x set with option to authenticate with 2 identity stores. The first identity store can be openLDAP with GTC and second the AD with PEAP and MSCHAP. You would have to set the condition for LDAP store to continue if the user was not found or auth failed. What will happen is that the Windows devices will authenticate via OpenLDAP while Mobile devices will fail auth via openldap and fall back into AD with MSCHAP. Also, since you are using a single SSID, you would have to create a identity store sequence for each condition to check for cert authentication also after cert has been provisioned.

Another simpler option is to use the Anyconnect suplicant for Windows, which supports EAP-GTC with LDAP. This way, both Windows and iOS devices can use EAP-GTC with LDAP without having to create complex policies for single SSID. An example is here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119149-configure-ise-00.html#anc10

View solution in original post

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

Nope. I do not think there is a way to do AD group based device limit, its just a global limit. It was documented in this post on the Cisco community:

https://communities.cisco.com/community/technology/security/blog/2016/02/05/ise-my-devices-portal-operational-details

Appreciate your support and thank for you patience ?

In my case, I have two identity stores: open LDAP that doesn't support MSCHAP but GTC and AD.

iOS BYOD devices whose users identity is stored in the LDAP weren't able to 802.1X SSID authenticate until i disabled MsCHAP. Disabling MsCHAP forced me to use dual SSID provisioning to BYOD Windows devices since windows doesn't support GTC by default. Can you think of an alternative solution that enable us to utilize single SSID provisioning process for apple, android and windows BYOD in this specific case ?

Thanks in advance

Ok, tha'ts tricky. But you could try this. Have a single authentication policy for Wireless 802.1x set with option to authenticate with 2 identity stores. The first identity store can be openLDAP with GTC and second the AD with PEAP and MSCHAP. You would have to set the condition for LDAP store to continue if the user was not found or auth failed. What will happen is that the Windows devices will authenticate via OpenLDAP while Mobile devices will fail auth via openldap and fall back into AD with MSCHAP. Also, since you are using a single SSID, you would have to create a identity store sequence for each condition to check for cert authentication also after cert has been provisioned.

Another simpler option is to use the Anyconnect suplicant for Windows, which supports EAP-GTC with LDAP. This way, both Windows and iOS devices can use EAP-GTC with LDAP without having to create complex policies for single SSID. An example is here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119149-configure-ise-00.html#anc10