Solved: ISE for Mobiles

Reyad Safi · ‎01-24-2014

Hello every body...

I have ISE appliance integrated with Active Directory to authenticate the users , and i have WLC integrated with the ISE also.

the integration done successfully , and now any user want to access the network through the WIFI ( Dot1x) he should use his AD credintials and if he Compliant he get a full access , if non compliant he go to the quarantine vlan.

my problem is the mobiles , there's some users need to access the WIFI using the personal mobiles using the AD credintials , and i need to bypass the posturing for mobiles only.

in other words , i don't need to check if the devise is compliant or non compliant for the mobiles only , while i need this feature for laptops.

note : i have only 1 SSID

any suggestions for this case....

Reyad

andyirving · ‎01-28-2014

Hi Reyed, the Endpoint policy was added in ISE 1.1 MR1 I believe, you will need to upgrade to see this. I would strongly recommended upgrading to the latest release of ISE anyway as it is much improved on version 1.1.0.

Thanks

Andy

View solution in original post

Ahmad Murad · ‎01-25-2014

Hi Reyad,

The solution for the Mobile devices is to enable the profiling, by enabling the profiling, you can categorize the access for all the smart devices, and you can combine them with Wireless_dot1x so all the users can authenticate the access using the AD username and password.

In general, the ISE does not have NAC agents or posture for mobile devices, so you can build an authorization policy based on profiling and authentication, and you can put it on top of the policies so if the ISE detects mobile phone access then the authentication will be dot1x against the AD.

HTH.

Thanks.

Ahmad.

Reyad Safi · ‎01-27-2014

hello Ahmad

in my case , i noticed that i have only 2 profiled categories.

one for workstations , and the other for ip phones ,,, but unfortunately the Smart phones and mobiles have been recognized as workstations which is become useless when i configure the policey for the profiled devise.

what i need is to configure a policey for any not-windows devise

how can i configure the profiling feature for these devises

any suggestions ....

Reyad

andyirving · ‎01-27-2014

Hi Reyad, you need to create an Authorisation Policy that matches "PostureApplicable Equals No" above the Authorisaton Policies you have defined for PostureStatus Equals Compliant and PostureStatus Not_Equals Compliant.

Any devices that are not capable of posture assessment (e.g. your mobile devices) will match this rule and bypass the NAC process before hitting the rule you are currently matching.

This should work fine as long as all other Authorisation Policies are correct.

Reyad Safi · ‎01-27-2014

hi andy

this will help to solve my problem

but i couldn't find the condition "PostureApplicable" in the autherization policys rules , could you help me where can i find this....

Reyad

andyirving · ‎01-28-2014

You can find it under Endpoints as shown below.

Reyad Safi · ‎01-28-2014

hello Andy and sorry for bothering you again...

but i couldn't find the EndPoint within my drop list in the autherization policey page.

do you think its related to ISE IOS version , or i need to do some configuration in some where to have EndPoint.

My ISE version is : Version : 1.1.0.665

andyirving · ‎01-28-2014

Hi Reyed, the Endpoint policy was added in ISE 1.1 MR1 I believe, you will need to upgrade to see this. I would strongly recommended upgrading to the latest release of ISE anyway as it is much improved on version 1.1.0.

Thanks

Andy

Reyad Safi · ‎01-28-2014

thank you Andy for your help....

Reyad

Saurav Lodh · ‎01-27-2014

Inorder to have definetions for broader range of endpoints like smartphones , PDAs, please use profiler feed service. It would ensure the device profiles database is updated.