cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
0
Helpful
2
Replies

ISE used for BYOD and Corporate

zmainedsnz
Level 1
Level 1

Hello

I have a customer currently using EAP-PEAP on both their coporate laptop and wireless phones on different SSIDs, the radius servers are a pair of IAS servers. We have recently deployed ISE BYOD for them with a single BYOD SSID. Now they want to completely get rid of the IAS and move all Radius to ISEs but want to keep EAP-PEAP for laptops and phones.

I am thinking about the authorization rules in the ISE, now they have 3 types of access using EAP-PEAP, a user must at least belong to the Employee AD group, but he may or may not belong to BYOD or/and PHONE groups as well. The authentiation results should be something like:

1. if Corporate Laptop  then Permit Access

2. if BYOD then NSP

3. if Phone then Permit Access

I am just wondering what is the best way to classify the devices (to decide the following action) without relying on profiling, Surely they all come from different SSIDs so I could check the WLAN ID to determine what action to follow, but that will need to make sure all the WLCs have the same WLAN ID for each SSID. Is there any better or neater way of doing this? What is the best practice for this kind of senario?

Thanks

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

If we're talking purely SSIDs, you can match the name of SSID

For example here, I'm matching a SSID of "mlatosie".

Thanks a lot for the information. I did not know you could match the SSID name. Will give it a try