cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

203
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE 2.2 only allow corp issued devices on SSID

Hi,

I was reading an older post that says "you have two options to do that, either import all mac address to ISE and have your policy look into this endpoint group with username or have an MDM"

the MAC address thing doesn't scale and not the best approach for a large environment. if MDM isn't available to me.....

With 2.2 I want to know if there is a way that I can look at the authentication of the windows laptop and if it is performing Machine auth then allow access because that means it is a domain joined laptop.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE 2.2 only allow corp issued devices on SSID

Fahad,

You are describing a basic Machine Authentication scenario which is based on AD Domain Computers.

This is very easy to do and you do not need to rely on the MAC address or an MDM!

Ensure that you have added the Domain Computers group in your ISE Active Directory Groups tab :

Screen Shot 2017-03-28 at 6.58.15 AM.png

Now simply create an authorization rule that matches your Domain Computers group

  <domain>:ExternalGroups Equals <domain>/Users/Domain Computers


Screen Shot 2017-03-28 at 7.13.51 AM.png

and assign the appropriate Authorization result to provide the appropriate network access.

View solution in original post

2 REPLIES 2
Highlighted
Enthusiast

Re: ISE 2.2 only allow corp issued devices on SSID

have a look at the following link. The feature you are looking for is called PassiveID ISE Design &amp; Integration Guides

Highlighted
Cisco Employee

Re: ISE 2.2 only allow corp issued devices on SSID

Fahad,

You are describing a basic Machine Authentication scenario which is based on AD Domain Computers.

This is very easy to do and you do not need to rely on the MAC address or an MDM!

Ensure that you have added the Domain Computers group in your ISE Active Directory Groups tab :

Screen Shot 2017-03-28 at 6.58.15 AM.png

Now simply create an authorization rule that matches your Domain Computers group

  <domain>:ExternalGroups Equals <domain>/Users/Domain Computers


Screen Shot 2017-03-28 at 7.13.51 AM.png

and assign the appropriate Authorization result to provide the appropriate network access.

View solution in original post