Solved: Re: ISE Dynamic VLAN Assignment Based on Auth Type

wick54namal · ‎02-09-2019

Hello,

I'm trying configure a single SSID where both Corporate Laptops and BYOD Laptops can connect, BYOD devices will be non-domain joined, but users will have an AD account. Corporate Laptops will use PEAP-MSCHAPv2 and BYOD Laptops will use PEAP to authenticate. I wanted to dynamically place BYOD devices on separate VLAN to have restricted access compared to Corporate Laptop. What would be the best way to achieve this using ISE

Thanks

pan · ‎02-10-2019

You can configure machine authentication. BYOD device will not be part to domain computers so with machine authentication you can differentiate between personal and corporate devices.

View solution in original post

paul · ‎02-10-2019

This is a common setup and using PEAP computer for corporate devices and PEAP user for the BYOD mobile devices with a VLAN move will work. The only thing to watch out for is account lockout issues. When AD account passwords change the users forget they have it programmed into their BYOD mobile devices and their accounts will get locked.

View solution in original post

Mike.Cifelli · ‎02-14-2019

You have several options to accomplish your requirement. Here are a few ideas that will assist you:

Setup separate global policies with different allowed protocol profiles and build policies separately this way;

Use the same global policy that allows both desired protocols, but configure several authorization policies. For example, for domain joined members you could setup conditions that match specific identity groups in AD that your objects are a part of. Then based on the condition match you assign your result that assigns them to their respective vlan. Then at the bottom you have your default rule for BYOD that are non-domain members that assigns them to a different vlan and possibly even throws a dacl out;

Another option you could look into is potentially using client provisioning for the BYOD devices. However, this introduces quite a few things from a configuration standpoint. You could even potentially use ISE posture assessment to perform some sort of security check requirements prior to giving these BYOD devices access even to your restricted vlan.

HTH!

View solution in original post

pan · ‎02-10-2019

You can configure machine authentication. BYOD device will not be part to domain computers so with machine authentication you can differentiate between personal and corporate devices.

paul · ‎02-10-2019

This is a common setup and using PEAP computer for corporate devices and PEAP user for the BYOD mobile devices with a VLAN move will work. The only thing to watch out for is account lockout issues. When AD account passwords change the users forget they have it programmed into their BYOD mobile devices and their accounts will get locked.

Mike.Cifelli · ‎02-14-2019

You have several options to accomplish your requirement. Here are a few ideas that will assist you:

Setup separate global policies with different allowed protocol profiles and build policies separately this way;

Use the same global policy that allows both desired protocols, but configure several authorization policies. For example, for domain joined members you could setup conditions that match specific identity groups in AD that your objects are a part of. Then based on the condition match you assign your result that assigns them to their respective vlan. Then at the bottom you have your default rule for BYOD that are non-domain members that assigns them to a different vlan and possibly even throws a dacl out;

Another option you could look into is potentially using client provisioning for the BYOD devices. However, this introduces quite a few things from a configuration standpoint. You could even potentially use ISE posture assessment to perform some sort of security check requirements prior to giving these BYOD devices access even to your restricted vlan.

HTH!