02-22-2015 11:00 AM - edited 03-10-2019 10:28 PM
Hi guys,
Pretty new to ISE and looking for some help wrapping my head around a couple of things.
First, I have a beta wireless network setup, called VIP for for employees to connect their mobile devices too, it's PEAP based. i'm also tagging into it the ability to create guest accounts through a portal and redirecting to different vlans (and thereby different internet providers). That's all working pretty well. However, one of the issues I have with it of course is with PEAP, a windows client doesn't correctly configure for it as it defaults to using the username/password logged into it. Is it possible to attach a policy to that network to determine if it's a windows client and require them to do web-auth user/password? Whats the best approach for that? I didn't want to do web-auth for everyone (smartphones/tablets) as it's not accepted by the user base very well (healthcare) and they have to buy-in.
Secondly, we have a situation where corporate ipads may be used by the same individuals (employees) who have their own devices and have access to the VIP network via their AD username/password. What I don't want to do, is use PEAP for the corporate network (ipads) and give the user the ability to connect to the corporate network with their personal device as well. So I'm trying to figure out how I can limit this. I would go off of the certificate based on the device, but I'm deploying certificates from my MobileIron MDM Server via it's scep proxy that runs off my MS PKI NDES installation. As far as I know, I can't make NDES give different type of certificates for authentication to different networks... All sounds very confusing, so if you have ideas or scenarios on how to approach this, I would really appreciate it.
Thank you,
Raun
03-03-2015 01:44 AM
You can enable ISE profiling and profile endpoints and assign auth policy based on their profile.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide