cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1851
Views
10
Helpful
2
Replies

Identify Corporate MacOS from VPN,Wired,Wireless using ISE as Radius Server

misinsuan2229
Beginner
Beginner

Hi All,

 

Is there a way to identify corporate MacOS vs non-corporate MacOS machine? We are using ISE as radius server for our VPN, Wired and Wireless connection with login using username. We wanted to limit the clients to only use MacOS provided by the company and not allow connection for non-corporate MacOS.

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

View solution in original post

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni
A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!


@Mike.Cifelli wrote:
A couple of options to accomplish your goal:
-You could deploy specific VPN profiles with unique tunnel group names and do a match in your client provisioning policy utilizing Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS <your tunnel group name>.
-Determine a piece of corporate software that you could setup a posture check on to determine that the host is truly a corporate machine
-Utilize other conditions in client provisioning policy that do a check against your identity source to determine if truly a corporate asset
I would recommend thinking about how your corporate machines are unique and how you can determine that they are unique & truly your asset. Good luck & HTH!

Right unlike windows this information is not available as a machine auth or user auth. Perhaps you can deploy JAMF? or EAP-TLS only for corporate machines to use certificate auth? and not corporate only allowed to use user/password?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: