Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2729
Views
8
Helpful
15
Replies

ISE 1.1.1 - RegisteredDevices Identity Group

zztopping
Level 4
Level 4

‎09-25-2012 10:18 AM - edited ‎03-10-2019 07:35 PM

Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:

The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.

In the authorization rules, there appear to be no way to create a  authorization rule to match a "profiled workstation" AND a "registered  device".

This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.

So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").

Or am I missing something?

Labels:
0 Helpful
15 Replies 15

Tarik Admani
VIP Alumni
VIP Alumni
In response to kianarbabifard

‎11-06-2012 07:42 AM

Hi,

The snip that you posted is if you choose the register the BYOD device to your corporate network. This helps distinguish your guest mobile devices from you internally registered employee BYOD devices. Your typical guest devices will land on the guest SSID and either accept the AUP or authenticate with provided credentials or self-register. However, when an employee brings their BYOD and they try to access the internal SSID that is where you an direct them to the native supplicant provisioning portal and stick them into the registerDevices endpoint group.

Thanks

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents