Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
2
Replies

ISE used for BYOD and Corporate

zmainedsnz
Level 1
Level 1

‎05-03-2013 03:29 AM - edited ‎03-10-2019 08:23 PM

Hello

I have a customer currently using EAP-PEAP on both their coporate laptop and wireless phones on different SSIDs, the radius servers are a pair of IAS servers. We have recently deployed ISE BYOD for them with a single BYOD SSID. Now they want to completely get rid of the IAS and move all Radius to ISEs but want to keep EAP-PEAP for laptops and phones.

I am thinking about the authorization rules in the ISE, now they have 3 types of access using EAP-PEAP, a user must at least belong to the Employee AD group, but he may or may not belong to BYOD or/and PHONE groups as well. The authentiation results should be something like:

1. if Corporate Laptop  then Permit Access

2. if BYOD then NSP

3. if Phone then Permit Access

I am just wondering what is the best way to classify the devices (to decide the following action) without relying on profiling, Surely they all come from different SSIDs so I could check the WLAN ID to determine what action to follow, but that will need to make sure all the WLCs have the same WLAN ID for each SSID. Is there any better or neater way of doing this? What is the best practice for this kind of senario?

Thanks

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-03-2013 11:19 AM

If we're talking purely SSIDs, you can match the name of SSID

For example here, I'm matching a SSID of "mlatosie".

0 Helpful

zmainedsnz
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-04-2013 02:38 AM

Thanks a lot for the information. I did not know you could match the SSID name. Will give it a try

0 Helpful
Customers Also Viewed These Support Documents