cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

391
Views
10
Helpful
2
Replies
Highlighted
Beginner

Identify Corporate MacOS from VPN,Wired,Wireless using ISE as Radius Server

Hi All,

 

Is there a way to identify corporate MacOS vs non-corporate MacOS machine? We are using ISE as radius server for our VPN, Wired and Wireless connection with login using username. We wanted to limit the clients to only use MacOS provided by the company and not allow connection for non-corporate MacOS.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Collaborator

Re: Identify Corporate MacOS from VPN,Wired,Wireless using ISE as Radius Server

A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

View solution in original post

2 REPLIES 2
Highlighted
VIP Collaborator

Re: Identify Corporate MacOS from VPN,Wired,Wireless using ISE as Radius Server

A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

View solution in original post

Highlighted
Cisco Employee

Re: Identify Corporate MacOS from VPN,Wired,Wireless using ISE as Radius Server


@Mike.Cifelli wrote:
A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

Right unlike windows this information is not available as a machine auth or user auth. Perhaps you can deploy JAMF? or EAP-TLS only for corporate machines to use certificate auth? and not corporate only allowed to use user/password?