cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2539
Views
5
Helpful
6
Replies

Cisco ISE use case/provisioning laptop or computers

Folks,

We have this use case of allowing laptops which are in provisioning stages to be connected to the network. The challenge is that these laptops must reach the provisioning servers bare minimum.


The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.


If this is not the case the laptop get a guest access which means internet only.


This is not the same with a laptop under provisioning i.e. it should not get Internet only. Any hints or suggestions how we can overcome this use case?

 

Thanks,

N!!

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.

PC Imaging on NAC secured ports  

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame
The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.

ISE put the device in default VLAN, which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.

 

Hope you looking the device to connect SCCM Server ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the response Balaji.

 

The challenge we have is that the default VLAN is considered as the Guest VLAN which is internet access alone.

 

Unless I did not understand you well.

 

The other method we were thinking is using any API's? Enter the MAC of the laptop to be provisioned through some API and create a list of such MAC address. Then this policy set get a assigned VLAN for the provisioning.

 

Maybe any other method?

 

 

Thanks!!

 

N.

 

Which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.

My suggestion was the same as you thinking different VLAN not the same as the default.

 

As you mentioned the First post the device has Certificate? yes or no.

 

if yes you identified the device to send the different VLAN, if no you need to MAB authentication with MAC Address based and allocated to provision VLAN as workflow.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sorry again for the delayed response.

 

The device will have no certificate as it will still be in the provisioning state.

 

The MAB based is fine, but now we will have to assign MAC addresses manually.

thomas
Cisco Employee
Cisco Employee

You will need to add ACL entry(s) to your default VLAN that also permits access to your provisioning server(s). 

Alternatively, some customers use open ports in physically secure rooms to provision servers.

You may also create temporary MAB exceptions if you know the devices but that's not very dynamic. I've seen this temporary access called a "voucher". See https://developer.cisco.com/codeexchange/github/repo/obrigg/Vanilla-ISE

You could login to the guest portal with an ISE internal user 'provisioning' account that allows internal access only to the necessary servers.

Many options here depending on what you find [un]acceptable.

Greg Gibbs
Cisco Employee
Cisco Employee

This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.

PC Imaging on NAC secured ports  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: