01-24-2014 02:54 PM - edited 03-10-2019 09:19 PM
Hello every body...
I have ISE appliance integrated with Active Directory to authenticate the users , and i have WLC integrated with the ISE also.
the integration done successfully , and now any user want to access the network through the WIFI ( Dot1x) he should use his AD credintials and if he Compliant he get a full access , if non compliant he go to the quarantine vlan.
my problem is the mobiles , there's some users need to access the WIFI using the personal mobiles using the AD credintials , and i need to bypass the posturing for mobiles only.
in other words , i don't need to check if the devise is compliant or non compliant for the mobiles only , while i need this feature for laptops.
note : i have only 1 SSID
any suggestions for this case....
Reyad
Solved! Go to Solution.
01-28-2014 11:13 AM
Hi Reyed, the Endpoint policy was added in ISE 1.1 MR1 I believe, you will need to upgrade to see this. I would strongly recommended upgrading to the latest release of ISE anyway as it is much improved on version 1.1.0.
Thanks
Andy
01-25-2014 08:12 PM
Hi Reyad,
The solution for the Mobile devices is to enable the profiling, by enabling the profiling, you can categorize the access for all the smart devices, and you can combine them with Wireless_dot1x so all the users can authenticate the access using the AD username and password.
In general, the ISE does not have NAC agents or posture for mobile devices, so you can build an authorization policy based on profiling and authentication, and you can put it on top of the policies so if the ISE detects mobile phone access then the authentication will be dot1x against the AD.
HTH.
Thanks.
Ahmad.
01-27-2014 08:39 AM
hello Ahmad
in my case , i noticed that i have only 2 profiled categories.
one for workstations , and the other for ip phones ,,, but unfortunately the Smart phones and mobiles have been recognized as workstations which is become useless when i configure the policey for the profiled devise.
what i need is to configure a policey for any not-windows devise
how can i configure the profiling feature for these devises
any suggestions ....
Reyad
01-27-2014 10:31 AM
Hi Reyad, you need to create an Authorisation Policy that matches "PostureApplicable Equals No" above the Authorisaton Policies you have defined for PostureStatus Equals Compliant and PostureStatus Not_Equals Compliant.
Any devices that are not capable of posture assessment (e.g. your mobile devices) will match this rule and bypass the NAC process before hitting the rule you are currently matching.
This should work fine as long as all other Authorisation Policies are correct.
01-27-2014 12:22 PM
hi andy
this will help to solve my problem
but i couldn't find the condition "PostureApplicable" in the autherization policys rules , could you help me where can i find this....
Reyad
01-28-2014 01:17 AM
You can find it under Endpoints as shown below.
01-28-2014 11:04 AM
hello Andy and sorry for bothering you again...
but i couldn't find the EndPoint within my drop list in the autherization policey page.
do you think its related to ISE IOS version , or i need to do some configuration in some where to have EndPoint.
My ISE version is : Version : 1.1.0.665
01-28-2014 11:13 AM
Hi Reyed, the Endpoint policy was added in ISE 1.1 MR1 I believe, you will need to upgrade to see this. I would strongly recommended upgrading to the latest release of ISE anyway as it is much improved on version 1.1.0.
Thanks
Andy
01-28-2014 11:17 AM
thank you Andy for your help....
Reyad
01-27-2014 09:35 PM
Inorder to have definetions for broader range of endpoints like smartphones , PDAs, please use profiler feed service. It would ensure the device profiles database is updated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide