Solved: ISE support for Non Domain joined Thin Clients

kevshah · ‎08-07-2018

Here is a question posed by one of my customers..

Our thin clients are not domain joined and as such cannot take advantage of our Active Directory policies around certificate management (both initial deployment and automatic renewal). Additionally, we are evaluating moving away from windows towards a linux based thin client platform where the same certificate based challenges would also exist.

If AD-based PKI is not available, does ISE provide any native certificate deployment / renewal capability that non-domain joined thin clients can take advantage of (assuming AnyConnect is installed)?
What does Cisco recommend as best practice for customers with large thin client deployments (Specifically non-domain joined deployments )?

Nidhi · ‎08-07-2018

Adding to Paul's , we now have embedded OS profiles which might be running in thinclient, also available in the community which can be utilized to create policy conditions and authorize them in the network with VLAN or DACL

Thanks,

Nidhi

View solution in original post

paul · ‎08-07-2018

Have you looked at profiling and what data you are collecting from the Thin Clients? You should be able to profile them in some fashion and apply a pretty tight DACL to the thin clients because what they need to talk to in order to function should be well defined.

Nidhi · ‎08-07-2018

Adding to Paul's , we now have embedded OS profiles which might be running in thinclient, also available in the community which can be utilized to create policy conditions and authorize them in the network with VLAN or DACL

Thanks,

Nidhi