Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1904
Views
10
Helpful
2
Replies

Identify Corporate MacOS from VPN,Wired,Wireless using ISE as Radius Server

Go to solution
misinsuan2229
Level 1
Level 1

‎10-09-2019 12:02 AM - edited ‎02-21-2020 11:10 AM

Hi All,

 

Is there a way to identify corporate MacOS vs non-corporate MacOS machine? We are using ISE as radius server for our VPN, Wired and Wireless connection with login using username. We wanted to limit the clients to only use MacOS provided by the company and not allow connection for non-corporate MacOS.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-09-2019 05:39 AM

A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-09-2019 05:39 AM

A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎10-25-2019 03:38 AM

@Mike.Cifelli wrote:
A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

Right unlike windows this information is not available as a machine auth or user auth. Perhaps you can deploy JAMF? or EAP-TLS only for corporate machines to use certificate auth? and not corporate only allowed to use user/password?

0 Helpful
Customers Also Viewed These Support Documents