ISE - auto assign a device to group upon device registration

glmharled · ‎03-06-2014

Hi,

Is it possible to auto assign a device to group upon device registration?

Typically in the registration portal, once "Register" button is clicked, the MAC address is put into "Registered Device" group, but let's say I want it to be put in different groups depending on the AD group? (Let's say when if Staff A register the device, the device automatically put into group A, Staff B to group B, and so forth)

Thanks

jj27 · ‎03-07-2014

Unfortunately not, but you can use several Authorization rules and profiles to accomplish the same thing.

if RegisteredDevices and AD:ExternalGroup=StaffA then StaffA_Permissions

etc.

glmharled · ‎03-07-2014

hmm, that's the challenge that we're having, if we use AD group then we need to turn on dot1x authentication, while the customer wants to achieve this by using MAB only

Bastien Migette · ‎03-09-2014

If you create a portal Specific for device registration, you can define to which ID groups will belong the registered endpoints.

I didn't tried this, but it might be possible to have a different portal for registration based on AD group, if you chain it after CWA or Dot1x. That would make an additional redirection though.

Venkatesh Attuluri · ‎03-11-2014

you can Specify Identity Store Sequence Used for Authentication

Choose Administration > Web Portal Management > Settings > My Devices > Authentication Source.

You need to have an authorization policy to assign these registered devices permission