Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3092
Views
5
Helpful
6
Replies

Cisco ISE use case/provisioning laptop or computers

Go to solution
network_geek1979
Level 1
Level 1

‎06-04-2021 07:06 AM

Folks,

We have this use case of allowing laptops which are in provisioning stages to be connected to the network. The challenge is that these laptops must reach the provisioning servers bare minimum.


The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.


If this is not the case the laptop get a guest access which means internet only.


This is not the same with a laptop under provisioning i.e. it should not get Internet only. Any hints or suggestions how we can overcome this use case?

 

Thanks,

N!!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-06-2021 05:10 PM

This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.

PC Imaging on NAC secured ports  

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-04-2021 07:20 AM - edited ‎06-04-2021 07:21 AM 

The testing and layout of our network is such that if the laptop is able to authenticate itself with 802.1x it gets the desired employee access. For this, the laptop already has the employee certificate and profiles.

ISE put the device in default VLAN, which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.

 

Hope you looking the device to connect SCCM Server ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to balaji.bandi

‎06-04-2021 08:28 AM

Thanks for the response Balaji.

 

The challenge we have is that the default VLAN is considered as the Guest VLAN which is internet access alone.

 

Unless I did not understand you well.

 

The other method we were thinking is using any API's? Enter the MAC of the laptop to be provisioned through some API and create a list of such MAC address. Then this policy set get a assigned VLAN for the provisioning.

 

Maybe any other method?

 

 

Thanks!!

 

N.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to network_geek1979

‎06-04-2021 09:51 AM

 

Which you can use for device provisioning based on the device authentication here allocate Device to different VLAN as on boarding VLAN.

My suggestion was the same as you thinking different VLAN not the same as the default.

 

As you mentioned the First post the device has Certificate? yes or no.

 

if yes you identified the device to send the different VLAN, if no you need to MAB authentication with MAC Address based and allocated to provision VLAN as workflow.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
network_geek1979
Level 1
Level 1
In response to balaji.bandi

‎06-10-2021 11:37 PM

Sorry again for the delayed response.

 

The device will have no certificate as it will still be in the provisioning state.

 

The MAB based is fine, but now we will have to assign MAC addresses manually.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-06-2021 04:18 PM - edited ‎06-06-2021 04:20 PM

You will need to add ACL entry(s) to your default VLAN that also permits access to your provisioning server(s). 

Alternatively, some customers use open ports in physically secure rooms to provision servers.

You may also create temporary MAB exceptions if you know the devices but that's not very dynamic. I've seen this temporary access called a "voucher". See https://developer.cisco.com/codeexchange/github/repo/obrigg/Vanilla-ISE

You could login to the guest portal with an ISE internal user 'provisioning' account that allows internal access only to the necessary servers.

Many options here depending on what you find [un]acceptable.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-06-2021 05:10 PM

This is a common issue with NAC-enabled environments due to the way Windows builds work and the fact that MS never implemented a way to enable 802.1x at an early stage in the build. See a similar discussion with some suggestions in this post.

PC Imaging on NAC secured ports  

0 Helpful
Customers Also Viewed These Support Documents
Top