Solved: ISE - Restrict Full WiFi Access only to Authorized Devices

Saurabh Kishore · ‎12-02-2014

Hi All,

We have a WLC HA (Code 8.0.100.0) setup with an ISE pair (version 1.2) , and all that works fine.

Currently ISE is configured to authenticate users from AD. Our corporate SSID is setup with WPA2+AES with 802.1x PEAP authentication, so users can connect Wifi from their devices after they put in their AD credentials.

We would now want to Restrict our Internal network Access through WiFi only to Authorized Devices like company issued Laptops/Tablets etc. For all the other devices like Personal Smartphones/Tablets/Laptops users can only have Internet Access only if they are Authenticated/Authorized to do so.

For the Rest of the devices like Printers, Apple TV's etc we already have a separate SSID running on which we are doing Mac Filtering through WLC, so none of the browser less devices would be connecting to the Corporate SSID.

Assuming We have the Mac Addresses of all the company issued devices Laptops/Tablets (Most of which are Apple Devices), what is the best approach to go about this utilizing ISE.

nspasov · ‎12-02-2014

Hello Saurabh-

You can import all of the mac addresses in ISE and perform mac filtering along with a PEAP-User based authentication. However, keep in mind that using this method is not the most secure one since a mac address can be very easily be spoofed and it is send in clear text.

With that being said, a better solution would be to get an MDM (MobileIron, Airwatch, etc), integrate it with ISE and onboard all of the corporate owned devices.

Hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-02-2014

Hello Saurabh-

You can import all of the mac addresses in ISE and perform mac filtering along with a PEAP-User based authentication. However, keep in mind that using this method is not the most secure one since a mac address can be very easily be spoofed and it is send in clear text.

With that being said, a better solution would be to get an MDM (MobileIron, Airwatch, etc), integrate it with ISE and onboard all of the corporate owned devices.

Hope this helps!

Thank you for rating helpful posts!

Saurabh Kishore · ‎12-05-2014

Yes, I am evaluating MDM solutions too, but budget being a constraint I am not sure if that would be approved or not.

There is lack of free MDM solutions which can be integrated with ISE, I did found the Meraki's Systems Manager worth a shot, but I guess the free version does not integrates with ISE, unless you go for the Enterprise Version. There were a few Rumors that ISE 1.4 is coming up with inbuilt MDM.

For now I will go ahead and import the mac address database to ISE in an Identity Group called Corporate-Devices and will edit the auth profile to check for the Identity Group Along with AD.

nspasov · ‎12-06-2014

Yes, budgets are always tough so I understand your point :) Good luck with the solution that you have in place!

If your issue is resolved, please mark the thread as "answered" ;)

Thank you for rating helpful posts!

Guillaume BARBEROT · ‎07-15-2015

hi neno,

i would like to have more details on your idea of mac filtering added to PEAP-user auth

when you ay create mac@ list i understand, but where would you "check" this list in ISE ? during authC or during authZ ?

Thanks for feedback

guillaume

Guillaume BARBEROT · ‎07-17-2015

self reply for me and others

(Really obvious after five minutes searching ...)

just create an endpoint identity group with mac@ in it, and in authZ match the identity group (here Manually_Authorized_Devices additionally to 802.1x auth

nspasov · ‎07-20-2015

Sorry I was out on some much needed vacation. Glad you got your question answered (+5 from me).