Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
0
Helpful
1
Replies

ISE device differentiated access and windows clients

raun.williams
Level 3
Level 3

‎02-22-2015 11:00 AM - edited ‎03-10-2019 10:28 PM

Hi guys,

Pretty new to ISE  and looking for some help wrapping my head around a couple of things.

 

First, I have a beta wireless network setup, called VIP for for employees to connect their mobile devices too, it's PEAP based.  i'm also tagging into it the ability to create guest accounts through a portal and redirecting to different vlans (and thereby different internet providers).  That's all working pretty well.  However, one of the issues I have with it of course is with PEAP, a windows client doesn't correctly configure for it as it defaults to using the username/password logged into it.  Is it possible to attach a policy to that network to determine if it's a windows client and require them to do web-auth user/password?  Whats the best approach for that?  I didn't want to do web-auth for everyone (smartphones/tablets) as it's not accepted by the user base very well (healthcare) and they have to buy-in.

 

Secondly, we have a situation where corporate ipads may be used by the same individuals (employees) who have their own devices and have access to the VIP network via their AD username/password.  What I don't want to do, is use PEAP for the corporate network (ipads) and give the user the ability to connect to the corporate network with their personal device as well.  So I'm trying to figure out how I can limit this.  I would go off of the certificate based on the device, but I'm deploying certificates from my MobileIron MDM Server via it's scep proxy that runs off my MS PKI NDES installation.  As far as I know, I can't make NDES give different type of certificates for authentication to different networks... All sounds very confusing, so if you have ideas or scenarios on how to approach this, I would really appreciate it.

 

Thank you,
Raun

Labels:
0 Helpful
1 Reply 1

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎03-03-2015 01:44 AM

You can enable ISE profiling and profile endpoints and assign auth policy based on their profile.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf

0 Helpful
Customers Also Viewed These Support Documents