Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1817
Views
0
Helpful
8
Replies

ISE - Limit access to BYOD portal

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎09-18-2015 07:27 AM - edited ‎03-10-2019 11:04 PM

Hi there,

Is there a way to limit access to a BYOD portal to a set of Active Directory OU's? Currently when I select the 'Identity Source Sequence' to use the AD identity source, any user is able to log into the portal and register devices.

 

The SSID which uses the Endpoint subset created by this portal is only broadcast within a limited number of buildings, so user base is controlled by building access, but this doesn't stop everyone on campus registering a device.

 

I am using ISE 1.4.0.253 .

 

cheers,

Seb.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason van den Berg
Level 1
Level 1
In response to Seb Rupik

‎09-30-2015 03:50 AM

Hi Seb,

 

I do not have a guide specific for this. This would use no extra licensing features than what BYOD would already consume.

 

To direct you you can follow the following steps.

 

It is presumed you have already decided on an AD group and have selected as part of the groups under your identity source.

 

1. Click Policy>Client Provisioning

2. Edit the relevant rule you want to restrict

3. Expand the "Other Conditions"

4. Click the gear drop down

5. Select "Add Attribute/Value"

6. In the "Select Attribute" field click the down arrow

7. Click the ">" next to your external identity source

8. Select "ExternalGroups"

9. Leave the "Equals" and select the down arrow in the next field

10. Select the relevant AD group

11. Click "Done" on the rule

12. Click "Save" at the bottom of the page

 

And you are done. You would do this for each rule you want to restrict.

 

Regards,

Jason

 

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎09-28-2015 02:26 AM

Bump.

Anyone??

0 Helpful

Go to solution
Jason van den Berg
Level 1
Level 1
In response to Seb Rupik

‎09-29-2015 02:13 AM

I would suggest on your AuthZ NSP rule restrict it to an AD group of your choice. Everyone else should then hit your default rule which should be a deny all.

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Jason van den Berg

‎09-29-2015 02:27 AM

Hi Jason,

Thanks for the suggestion, but BYOD portal is for MAB so all the AuthZ policies relate to whether a device MAC address is registered (in a particular group) or not. 

The only time a username and AD group comes into play is when they log into the BYOD portal. It's at this stage I want to restrict access, but can't see any options on how to.

 

cheers,

Seb.

0 Helpful

Go to solution
Jason van den Berg
Level 1
Level 1
In response to Seb Rupik

‎09-29-2015 02:37 AM

Hi Seb,

 

My response was based on a single SSID. I presume you are using 2 SSIDs based on your response.

 

In this case you can under client provisioning restrict who can follow the BYOD flow to different AD groups. This will also work for a single SSID. The user will be able to log in but not register/follow the BYOD flow.

 

Regards,

Jason

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Jason van den Berg

‎09-30-2015 03:34 AM

Hi Jason,

Do you have a 1.4 configuration guide to describe this, it's not something I'm familiar with. On that note, is this feature covered under the Base license?

 

cheers,

Seb.

0 Helpful

Go to solution
Jason van den Berg
Level 1
Level 1
In response to Seb Rupik

‎09-30-2015 03:50 AM

Hi Seb,

 

I do not have a guide specific for this. This would use no extra licensing features than what BYOD would already consume.

 

To direct you you can follow the following steps.

 

It is presumed you have already decided on an AD group and have selected as part of the groups under your identity source.

 

1. Click Policy>Client Provisioning

2. Edit the relevant rule you want to restrict

3. Expand the "Other Conditions"

4. Click the gear drop down

5. Select "Add Attribute/Value"

6. In the "Select Attribute" field click the down arrow

7. Click the ">" next to your external identity source

8. Select "ExternalGroups"

9. Leave the "Equals" and select the down arrow in the next field

10. Select the relevant AD group

11. Click "Done" on the rule

12. Click "Save" at the bottom of the page

 

And you are done. You would do this for each rule you want to restrict.

 

Regards,

Jason

 

 

0 Helpful

Go to solution
Alex Martin
Level 1
Level 1
In response to Jason van den Berg

‎12-07-2016 09:19 AM

While this is a valid method to restrict users from the BYOD flow based on AD, it seems like a very janky way of doing so.  It gives false hope to users that they can do something because they are allowed to login and are presented with the BYOD start screen.  I wish someone at Cisco would realize this and make it possible to change the allowed "Employees" up front in the portal creation page so if you are not authorized per the AD group, you would simply fail authentication and not even be able to log in.

If anyone knows of a better solution, please post it.  I'm working with ISE 2.1 currently and have been working on ISE since ISE 1.3 and yet this BYOD flow is still as terrible as it was when it all started.

0 Helpful

Go to solution
Marc Aemmer
Level 1
Level 1
In response to Alex Martin

‎10-12-2018 06:41 AM

Hi,

I'm struggeling with the same issue. Have you found a solution meanwhile?

regards,

Marc

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents