Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
2
Replies

Cisco ISE version 1.2 (corporate owned)

janncarlopucan
Level 1
Level 1

‎11-20-2013 10:37 PM - edited ‎03-10-2019 09:07 PM

Hi Guys,

We are deploying Cisco ISE with version 1.2, one of  our requirement is to identify the corporate and personally owned  devices. Is there a feature in ISE with this requirement? Thanks.

Labels:
0 Helpful
2 Replies 2

aqjaved
Level 3
Level 3

‎11-21-2013 07:08 AM

The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as a software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

For More information please visit:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_overview.html

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎11-24-2013 03:29 AM

To identify a device as a corporate or non-corporate device requires something, say a credential, which is locked to that

particular device. While common wisdom suggests attaching a certificate to a non-corporate device, the more logical choice is to lock a credential to the corporate device and assume all other devices are non-corporate devices.

One solution is EAP Chaining which uses a machine certificate or a machine username / password locked to the device

through the Microsoft domain enrollment process. When the device boots, it is

authenticated to the network using 802.1X.

When the user logs onto the device, the session information from the machine authentication and the user credentials are sentup to the network as part of the same user authentication. The combination of the two i

ndicates that the device belongs to the

corporation and the user is an employee.

If the device is not a member of the domain, then the machine authentication fails and the device is not a corporate device. If the device does not support EAP Chaining, then

the device is also not a corporate device. In either case, the result would be

to treat these devices differently than the corporate device. That could be limited access for employee owned devices and outto the Internet for non-employee devices depending

on corporate policy

0 Helpful
Customers Also Viewed These Support Documents