01-28-2017 06:00 AM - edited 03-11-2019 12:24 AM
Cisco ISE can limit the employee registered device to a number between 0 and 100.
Does ISE support employee registered devices limitation per group of users.
ex: users belonging to Active directory group IT Users are allowed 3 device while marketing users are allowed one device only ?
Solved! Go to Solution.
01-28-2017 06:48 AM
Nope. I do not think there is a way to do AD group based device limit, its just a global limit. It was documented in this post on the Cisco community:
https://communities.cisco.com/community/technology/security/blog/2016/02/05/ise-my-devices-portal-operational-details
01-29-2017 05:47 AM
Ok, tha'ts tricky. But you could try this. Have a single authentication policy for Wireless 802.1x set with option to authenticate with 2 identity stores. The first identity store can be openLDAP with GTC and second the AD with PEAP and MSCHAP. You would have to set the condition for LDAP store to continue if the user was not found or auth failed. What will happen is that the Windows devices will authenticate via OpenLDAP while Mobile devices will fail auth via openldap and fall back into AD with MSCHAP. Also, since you are using a single SSID, you would have to create a identity store sequence for each condition to check for cert authentication also after cert has been provisioned.
Another simpler option is to use the Anyconnect suplicant for Windows, which supports EAP-GTC with LDAP. This way, both Windows and iOS devices can use EAP-GTC with LDAP without having to create complex policies for single SSID. An example is here:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119149-configure-ise-00.html#anc10
01-28-2017 06:48 AM
Nope. I do not think there is a way to do AD group based device limit, its just a global limit. It was documented in this post on the Cisco community:
https://communities.cisco.com/community/technology/security/blog/2016/02/05/ise-my-devices-portal-operational-details
01-28-2017 06:59 AM
Appreciate your support and thank for you patience ?
In my case, I have two identity stores: open LDAP that doesn't support MSCHAP but GTC and AD.
iOS BYOD devices whose users identity is stored in the LDAP weren't able to 802.1X SSID authenticate until i disabled MsCHAP. Disabling MsCHAP forced me to use dual SSID provisioning to BYOD Windows devices since windows doesn't support GTC by default. Can you think of an alternative solution that enable us to utilize single SSID provisioning process for apple, android and windows BYOD in this specific case ?
Thanks in advance
01-29-2017 05:47 AM
Ok, tha'ts tricky. But you could try this. Have a single authentication policy for Wireless 802.1x set with option to authenticate with 2 identity stores. The first identity store can be openLDAP with GTC and second the AD with PEAP and MSCHAP. You would have to set the condition for LDAP store to continue if the user was not found or auth failed. What will happen is that the Windows devices will authenticate via OpenLDAP while Mobile devices will fail auth via openldap and fall back into AD with MSCHAP. Also, since you are using a single SSID, you would have to create a identity store sequence for each condition to check for cert authentication also after cert has been provisioned.
Another simpler option is to use the Anyconnect suplicant for Windows, which supports EAP-GTC with LDAP. This way, both Windows and iOS devices can use EAP-GTC with LDAP without having to create complex policies for single SSID. An example is here:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119149-configure-ise-00.html#anc10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide