Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

479
Views
2
Helpful
8
Replies
Alex Pfeil
Rising star
Rising star
‎06-29-2018 05:03 AM
‎06-29-2018 05:03 AM

ISE Wireless Profiling and Computer Imaging Process

     We have deployed ISE on our wireless network.  We need to modify our imaging process so that the techs can make sure the computer is profiled correctly before they ship it out to a user.  I was wondering if anybody can recommend a way or share the best practice.

     Currently, computers are being shipped out and if the computer does not profile correctly, the end user will call about not getting onto the wireless network.  The computer will profile correctly with a reboot and wireless auth attempt.  I was just wondering if after a computer is imaged and joined to the domain, is rebooting the computer a best practice or is there some other solution?

Thanks,

Alex

8 REPLIES 8
paul
Advocate
Advocate
‎06-29-2018 11:00 AM
‎06-29-2018 11:00 AM

What kind of authentication are you doing on the wireless network?  i.e. why are you using profiling on wireless?

0 Helpful
Alex Pfeil
Rising star
Rising star
In response to paul
‎06-29-2018 11:05 AM
‎06-29-2018 11:05 AM

We are doing 802.1x authentication on the wireless network. We are using profiling so that our devices can get on the network without any manual process.

Our current process is to image the computer, and reboot it.  We tested this out today and it seems to be working pretty good.  We are running ISE 2.4 with the latest patch.

0 Helpful
paul
Advocate
Advocate
In response to Alex Pfeil
‎06-29-2018 11:09 AM
‎06-29-2018 11:09 AM

When your  devices are being reimaged, aren't they joined to the domain, get GPOs pushed etc. to enabled wireless authentication.  Still confused where profiling comes into play on wireless Dot1x SSID.

0 Helpful
Alex Pfeil
Rising star
Rising star
‎06-29-2018 11:14 AM
‎06-29-2018 11:14 AM

Before we send the computer to the end user, we want to make sure it automatically gets added to the ISE database.

0 Helpful
paul
Advocate
Advocate
In response to Alex Pfeil
‎06-29-2018 11:17 AM
‎06-29-2018 11:17 AM

Still confused.  Being in the ISE database should have nothing to do with and 802.1x SSID.  I am sure there is more to this puzzle, but with standard 802.1x authentication there is no requirement to be in the ISE database.

0 Helpful
Alex Pfeil
Rising star
Rising star
In response to paul
‎06-29-2018 11:30 AM
‎06-29-2018 11:30 AM

We are only allowing specific devices to get on the network. So the device must be in the database, and the user must authenticate.

0 Helpful
hslai
Cisco Employee
Cisco Employee
In response to Alex Pfeil
‎06-29-2018 07:11 PM
‎06-29-2018 07:11 PM

If the endpoints have to be in the ISE internal endpoints store first before allowed to authenticate, then the tech either add the endpoints using Cisco ISE ERS APIs, or authenticate them in a limited-access network to get them profiled.

0 Helpful
mick_johnson@hotmail.com
Beginner
Beginner
In response to hslai
‎07-02-2018 01:07 AM
‎07-02-2018 01:07 AM

All you need to do is create a specific goup in AD for devices permitted onto the wireless and put this into your your ISE policy for authorisation, you can go even further and create multiple groups with different policies, say one group with internet access and one without.

0 Helpful
Latest Contents
Cisco and Radware - Securing your digital future
Created by Kelli Glass on 04-21-2021 05:16 PM
0
0
0
0
  Application Protection, Availability & Security Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business. Lear... view more
Cisco Wants your Feedback on the Secure Firewall Management ...
Created by caiharve on 04-21-2021 04:36 PM
0
0
0
0
Review the Cisco Secure Firewall Management Center (formally named "Firepower Management Center") on TrustRadius and receive a $25 gift card!     
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
Content for Community-Ad