cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
0
Helpful
2
Replies

ISE 2.2 only allow corp issued devices on SSID

ffadhilpi
Beginner
Beginner

Hi,

I was reading an older post that says "you have two options to do that, either import all mac address to ISE and have your policy look into this endpoint group with username or have an MDM"

the MAC address thing doesn't scale and not the best approach for a large environment. if MDM isn't available to me.....

With 2.2 I want to know if there is a way that I can look at the authentication of the windows laptop and if it is performing Machine auth then allow access because that means it is a domain joined laptop.

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

Fahad,

You are describing a basic Machine Authentication scenario which is based on AD Domain Computers.

This is very easy to do and you do not need to rely on the MAC address or an MDM!

Ensure that you have added the Domain Computers group in your ISE Active Directory Groups tab :

Screen Shot 2017-03-28 at 6.58.15 AM.png

Now simply create an authorization rule that matches your Domain Computers group

  <domain>:ExternalGroups Equals <domain>/Users/Domain Computers


Screen Shot 2017-03-28 at 7.13.51 AM.png

and assign the appropriate Authorization result to provide the appropriate network access.

View solution in original post

2 Replies 2

Oliver Laue
Enthusiast
Enthusiast

have a look at the following link. The feature you are looking for is called PassiveID ISE Design &amp; Integration Guides

thomas
Cisco Employee
Cisco Employee

Fahad,

You are describing a basic Machine Authentication scenario which is based on AD Domain Computers.

This is very easy to do and you do not need to rely on the MAC address or an MDM!

Ensure that you have added the Domain Computers group in your ISE Active Directory Groups tab :

Screen Shot 2017-03-28 at 6.58.15 AM.png

Now simply create an authorization rule that matches your Domain Computers group

  <domain>:ExternalGroups Equals <domain>/Users/Domain Computers


Screen Shot 2017-03-28 at 7.13.51 AM.png

and assign the appropriate Authorization result to provide the appropriate network access.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers