ISE Device Onboarding Policy

malhashi · ‎03-09-2018

University with ISE for Wireless deployment using 802.1x using to AD domains one for students and another for faculty, they need to limit their devices to only 2 and faculty to 4. ISE can only set device limit as a global parameter and cannot be set per group policy,

Usually students sometimes login from more than 4 or 5 devices per day and sometimes their credentials show more than 50 devices.

Can we use CA certificate for BYOD and limit device count this way?
is it recommended to have separate ISE instances for students than faculty?

the university want to only allow 2 devices logged-in within 24 hours, even if student logout, they can only login with same authenticated devices for that day. Any idea or suggestions?

dmh · ‎03-09-2018

You can limit the number of concurrent sessions per user in a group and have different limits for each group. So you can have a Students group with maximum sessions per users set to 2 and a Faculty group with maximum sessions per user set to 4.

See the following for configuration details:

Configure Maximum Concurrent User Sessions on ISE 2.2 - Cisco

hslai · ‎03-13-2018

The max concurrent sessions added in ISE 2.2 can be considered but it's per PSN and not tying to the same authenticated devices.

ISE BYOD is currently has only one device limit but not by groups, as you already found. Perhaps, you may give faculty two user accounts each?

With ISE MyDevices portals, the users can manage the device registration themselves. If the university wants to limit login with the same authenticated devices for that day, then MyDevices portal access needs to be restricted, as well.

Another idea is to use ISE guest services instead. ISE is limiting device registration and concurrent sessions per guest types.