Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1939
Views
0
Helpful
3
Replies

Cisco ISE IOT/smart devices - Registration

Kleedje
Level 1
Level 1

‎11-05-2021 02:13 AM - edited ‎11-05-2021 02:48 AM

Hello All,

 

We are struggling to find a solution for what we think is a quite common scenario.

We are implementing Cisco ISE and are facing our final epic boss battle with the furious pile of IOT/smart devices.

While implementing ISE we focusing on keeping every device, which access our network in any way whatsoever, registered.

 

In this particular situation, client, or patients are 'living' (with a separate room, bed etc) and using our guest Wi-Fi network (monthly unique endpoint +/- 2700).
Which is now the equivalent to the wild west, users and devices connect via an password and have open internet access, but most importantly, open access within the whole network, hence Chromecasts etc.

 

Now comes the hardest part of this boss battle, the company does not want to withdraw this freedom of using Chromecasts and other smart devices, internet access and all the convenience it gives. Which is understandable, people are living their lives within our organization.

 

But how can we implement a solution within ISE that allows access to all those devices and also register them within ISE as an known device/endpoint.

We've looked in ways of using the guest portal to let users add their own mac addresses, which will grant them access.
And many other ways, but most of them are only theoretical and not available technical (as it seems).

 

Does anyone have also faced this problem and found a solution?

 

Regards

 

 

0 Helpful
3 Replies 3

hslai
Cisco Employee
Cisco Employee

‎11-08-2021 04:29 PM

See The Guest “Remember Me” Feature

0 Helpful

Kleedje
Level 1
Level 1
In response to hslai

‎11-09-2021 07:40 AM

Hi Hslai,

 

Thank you for taking the time and reply.
Unfortunately we already use a similar configuration.

 

Specific problem we face is that no all the IOT can use, for example, an captive portal.

 

We are currently looking into creating a redirection profile which allows basic 'internet' connections for guests.
Then using the rest-full API to add those devices to an identity-group.

 

 

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎12-04-2021 02:22 PM - last edited on ‎03-09-2022 11:28 PM by Community Manager

I'm assuming you are talking about a 100% wireless solution.

I think the most elegant way to do this may be with the Cisco User Defined Network  but it requires Cisco DNAC and mobile phone apps for your users to manage their devices. This not only provides a registration mechanism but also segmentation between user-defined networks for security. This was originally developed for university dorms but your hospital scenario is very similar!

Trying to track and manage random patient (and their visitors') endpoint MAC addresses with PSK, mPSK, or iPSK would not scale or be friendly or scale for the average hospital patient and staff. And none of them would help you to register and track that 12:34:56:78:90:ab belongs to Thomas in Room 123.

Have you looked into using the My Devices Portal option in ISE? Typically this is used to identify employee's personal endpoints but it does have a registration screen although I dont know how well this would work for IOT entertainment devices so you would need to play with it.

image.png

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents