Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
20
Helpful
5
Replies

Limit # of devices for students but not for faculty?

Go to solution
jiglenn
Cisco Employee
Cisco Employee

‎10-24-2018 07:03 AM

Hi Team,

 

We have a customer that purchased ISE with one particular use case in mind.  They want to limit the number of devices a student can have to 1.  However, they don't want to limit the number of devices that a teacher or administrator can have.  The partner stated the following and the customer is now coming back to us asking if what the partner said is true.  If it is, can we help them with another approach? 

 

Partner comments below:

 

First, to answer the question of whether we can limit user sessions with ISE, the answer is yes,but...  There are a couple of consequences or caveats to that configuration that have to be understood.

 

1 - If we authenticate students to AD through ISE, then we can limit them to 1 session at a time.  However, that means if we ever authenticate staff through ISE, they will also be limited to 1 session.  We cannot selectively limit or not limit different users or groups that authenticate back to AD via ISE.  So going forward, there will need to be some alternate authentication infrastructure for staff users, since ACS is nearing end of life status.

 

2 - Whatever authentication method we decide on for students, it will have to be the same regardless of what kind of device they are using.  Unfortunately that brings us full circle to the same old Microsoft chicken/egg problem with wireless authentication.  That issue has to do with how Windows deals with "user logon time" processes like login scripts and group policy.  In short, we get around that problem today by having your Windows domain computers authenticate themselves to the wireless network prior to user login, so that when the user does log in there is a network connection present and login scripts will run.  That pre-user-login computer authentication will not work for non-Windows devices.

 

3 - If using Chromebooks, we've seen issues where those devices don't pass login credentials over to the wireless connection.  So those users will likely need to log in once to the device, then again to the wireless network.

 

The direction we go from here depends on exactly what kinds of devices are to be used by students, and if Windows is included in that mix, then do they need or not need login scripts to run when the user logs in?  If they do need login scripts, then I'm not sure if we will be able to implement a single SSID/Security combination that will accommodate all types of devices. 

 

My first thought is that we could use a captive portal setup, so that when a user opens their browser on any type of device they have to log in with AD credentials.  That will work on non-Windows devices, and Windows devices provided they don't need login scripts.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jordanburnett

‎10-25-2018 05:46 AM

You can have an ssid for guest and students. When guests login they go to internet and when-students login you can require onboarding to a secure ssid requiring cert auth that can also be used by faculty who are onboard through another management system

View solution in original post

5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-24-2018 07:38 AM

Why not use the BYOD flow registration for students which is default at 5 devices per user.

And faculty can use a different managed flow with a different setting not using BYOD registration?

Go to solution
jiglenn
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎10-24-2018 08:44 AM

Can you change the default for the BYOD flow from 5 devices to 1?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jiglenn

‎10-24-2018 09:30 AM

Yes. it can set between 1 to 999.

Screen Shot 2018-10-24 at 9.29.16 AM.png

Go to solution
jordanburnett
Level 4
Level 4

‎10-25-2018 04:05 AM

I agree with the other posts. Set up one SSID for students and force them through the BYOD flow with device registration limited to one device. You don't want to have helpdesk employees maintain/do initial configuration of dot1x on student devices. 

 

You can either provision their native supplicant with a separate SSID so that their wireless is encrypted (WPA2-enterprise) or just inform them that if they're using WebAuth their OTA traffic won't be encrypted (they'll have to rely on TLS/SSL encrypted websites). 

 

Faculty/staff will authenticate against a separate SSID not tied to BYOD registration and thus won't be limited to a single device. 

 

Also, I've never heard of a school requiring a logon script for student/unmanaged/non-domain devices. 


However, I agree that it would be nice to get an authentication policy set up to where you could say "IF AD Group='One Device' then SessionLimit = 1" as customers are always asking for flexibility in this policy and it's currently only a global policy configuration. 

 

 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to jordanburnett

‎10-25-2018 05:46 AM

You can have an ssid for guest and students. When guests login they go to internet and when-students login you can require onboarding to a secure ssid requiring cert auth that can also be used by faculty who are onboard through another management system
Customers Also Viewed These Support Documents