Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1965
Views
0
Helpful
7
Replies

ISE Lock accounts to machines

MMstre
Level 3
Level 3

‎08-22-2013 03:12 PM - edited ‎03-10-2019 08:48 PM

I am trying to determine if there is a way to limit the number of logins. Basically, the requirement is to allow a user X number of concurrent logins, but restrict those logins to the first X machines they log into.  The requirement is to prevent users from passing their credentials around to other unauthorized users.

Labels:
0 Helpful
7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

‎08-25-2013 12:06 AM

Michael,

You can only restrict guests to one concurrent login of 1 or unlimited. However if you have a list of all mac addresses, you can import them into ise and statically assign them to a endpoint group, from there you can combine a policy that only allows users to connect with a device that you assigned to an endpoint group with a valid AD account.

However your best bet is to deploy certificates if you run in an AD environment where all devices are joined to the domain, it is very simple to use group policies to deploy certificates which you can make the private keys not exportable. Then you can switch your authentication policy so that certs are used instead of passwords.

Let me know if you run all users in AD or if you would like some info on certificate enrollment

Tarik Admani
*Please rate helpful posts*

0 Helpful

MMstre
Level 3
Level 3
In response to Tarik Admani

‎08-27-2013 01:10 PM

Hi Tarik,

Thanks for the suggestions.  However, at this time, the deployment is going to be a live pilot (I know, dangerous move lol), but its what is going to convince the customer of ISE's features.

Cert services isn't an option at this time, due to time constraints and the environment this is being rolled out to.

it's basically a trade show and they are allowing all invitees to use their network, but cant deploy certs, or expect the invitees to be able to install them. Apparently, these guests have been known to pass around credentials and this is what they are trying to prevent.

I have locked them down to 3 concurrent connections, but i am not sure if that will do the trick.

Thoughts?

thanks again for you reply

0 Helpful

Ravi Singh
Level 7
Level 7

‎08-25-2013 08:10 PM

Yeah you have to deploy certificate to authenticate devices and user  with non-exportable private key. That is the only way by which you can  achieve your goal.

0 Helpful

aqjaved
Level 3
Level 3

‎08-27-2013 10:11 AM

ISE-1.1 version does not support the limits on concurrent logins but ISE 1.2 support this function.

Release Notes for Cisco Identity Services Engine, Release 1.2

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to aqjaved

‎08-27-2013 10:17 AM

Aqeel,

It was my understanding the ISE 1.2 only allows this feature for guests

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

blenka
Level 3
Level 3

‎08-27-2013 12:13 PM

Please find the attached solution.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to blenka

‎08-27-2013 12:33 PM

Guys,

The initial question is around dot1x authentication. Please take some time to understand the question above. This has nothing to do with Administrative access nor does it involve guests.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents