11-20-2013 10:37 PM - edited 03-10-2019 09:07 PM
Hi Guys,
We are deploying Cisco ISE with version 1.2, one of our requirement is to identify the corporate and personally owned devices. Is there a feature in ISE with this requirement? Thanks.
11-21-2013 07:08 AM
The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as a software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.
Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.
For More information please visit:
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_overview.html
11-24-2013 03:29 AM
To identify a device as a corporate or non-corporate device requires something, say a credential, which is locked to that
particular device. While common wisdom suggests attaching a certificate to a non-corporate device, the more logical choice is to lock a credential to the corporate device and assume all other devices are non-corporate devices.
One solution is EAP Chaining which uses a machine certificate or a machine username / password locked to the device
through the Microsoft domain enrollment process. When the device boots, it is
authenticated to the network using 802.1X.
When the user logs onto the device, the session information from the machine authentication and the user credentials are sentup to the network as part of the same user authentication. The combination of the two i
ndicates that the device belongs to the
corporation and the user is an employee.
If the device is not a member of the domain, then the machine authentication fails and the device is not a corporate device. If the device does not support EAP Chaining, then
the device is also not a corporate device. In either case, the result would be
to treat these devices differently than the corporate device. That could be limited access for employee owned devices and outto the Internet for non-employee devices depending
on corporate policy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide