cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

750
Views
5
Helpful
6
Replies
Highlighted
Cisco Employee

Identify corporate Macbook for VPN access

How can we use ISE to ensure that only a company provided MAC Laptop would be allowed to join the network via VPN, and reject non-corporate MACbook?


Customer concerns is  the admin rights can allow the certificate to be extracted and used on non-corporate devices.

This is whole end-to-end cisco solution we need to do POC (ISE + anyconncect + ASA).

I would like to propose two solution for customer reference, please let me know if it is feasible or there is any detailed pros/cons.

1)       Double cert auth ( cert + smartcard/token) ,  this will need integration with smartcard/token vendor.

2)       Cert auth +  Mac address/BIOS serial  posture check  ,  based on hostscan it will input Mac address/serial number to ASA/ISE in advance.

Any comments is appreciated.

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Identify corporate Macbook for VPN access

Like you send, certs can be exported if user is admin.  I don't think a smart card would help in this scenario either because CAC / smartcard is usually integrated via USB which could also be ported to a non-company owned asset.  The best solution, as Paul brought up, would be the use of an MDM solution.

Regards,

-Tim

View solution in original post

6 REPLIES 6
Highlighted
VIP Advocate

Re: Identify corporate Macbook for VPN access

Are they using an MDM like JAMF to manage the Macs?  If so, then you could explore an integration between ISE and JAMF to verify the Mac is registered.  I am not a JAMF expert but I know this seems to be the defacto MDM many customers use for Mac management.  I see ISE referenced in their 9.99 release notes.

http://docs.jamf.com/9.99.0/casper-suite/release-notes/What's_New_in_This_Release.html

Highlighted
Beginner

Re: Identify corporate Macbook for VPN access

Hi Paul,

Thanks for the information, I'm currently in a situation as what Qingguo is encountering and the customer is asking if JAMF is the recommended solution with regards to MDM, would we be able to elaborate to them just what is the policy JAMF is using to identify corporate macbooks without cert and how does Cisco ISE utilizes that to verify if the Mac is registered as a corporate device.

Also, they would like to know if there's any way ISE is able to prevent users from upgrading to the latest MAC OS released by Apple and if not, what is the likelyhood that a MAC OS upgrade might break the ISE agent's compatibility support matrix.

Highlighted
VIP Advocate

Re: Identify corporate Macbook for VPN access

I am by no means an MAC OS person so I may not be able to answer all the questions here but here is what I know from my experience. JAMF seems to be a very popular management solution for Macs. In their 9.99 release notes they added support for ISE MDM API v2:

http://docs.jamf.com/9.99.0/casper-suite/release-notes/What's_New_in_This_Release.html

I have never done a JAMF to Cisco ISE MDM integration so I am not sure what details you can get from that integration. I am not sure if OS version is a piece of information you get or not. You may be able to get OS version from the posture module, but I haven’t tried it.

The key reason JAMF has been used in my installs is to configure the Macs to present PEAP AD computer credentials as a means to authenticate the Macs. In most cases I do PEAP computer authentication as the means to ensure the attaching device is a managed asset. This is a trivial task on Windows devices. You can configure the Macs to do the exact same thing, but it is not a trivial task. There are methods to do it manually or using Apples OSX server MDM (can’t remember the name), but JAMF makes the process easier.

At the end of the day if you get PEAP computer auth working on the Macs you are treating them identically to the Windows domain joined devices.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted
Cisco Employee

Re: Identify corporate Macbook for VPN access

There is no way for ise or posture to block OS upgrades from taking place

Highlighted
Beginner

Re: Identify corporate Macbook for VPN access

Thanks for your responses Paul and Jason!

Highlighted
Cisco Employee

Re: Identify corporate Macbook for VPN access

Like you send, certs can be exported if user is admin.  I don't think a smart card would help in this scenario either because CAC / smartcard is usually integrated via USB which could also be ported to a non-company owned asset.  The best solution, as Paul brought up, would be the use of an MDM solution.

Regards,

-Tim

View solution in original post