ISE 1.1.1 - RegisteredDevices Identity Group - Page 2

zztopping · ‎09-25-2012

Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:

The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.

In the authorization rules, there appear to be no way to create a authorization rule to match a "profiled workstation" AND a "registered device".

This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.

So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").

Or am I missing something?

Tarik Admani · ‎11-06-2012

Hi,

The snip that you posted is if you choose the register the BYOD device to your corporate network. This helps distinguish your guest mobile devices from you internally registered employee BYOD devices. Your typical guest devices will land on the guest SSID and either accept the AUP or authenticate with provided credentials or self-register. However, when an employee brings their BYOD and they try to access the internal SSID that is where you an direct them to the native supplicant provisioning portal and stick them into the registerDevices endpoint group.

Thanks

Tarik Admani
*Please rate helpful posts*