Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1518
Views
0
Helpful
4
Replies

Macbook profiling with radius and CoA

Go to solution
piotrPaszk
Level 1
Level 1

‎04-06-2019 02:13 PM - edited ‎04-06-2019 03:24 PM

Hello,

I would like to onbord (BYOD) on ISE all mac books in the organization using single corporate ssid.

So I have to create a BYOD rule which matches somehow Macbook endpoint profile in order to send it further for provisioning.

I know that might be difficult since at the first there is only radius request send and macbook will not probably be recognized as macbook base only on that.


I have found an old post where someone proposes "you can create a general Authz rule to allow limited access for an unknown endpoint. Once ISE receives the DHCP packets and profiles the device, it can send a CoA to reauthenticate the device and match the rule you already have"

I have no idea how to create that rule. Can someone help me with that, please or give other clues to other solutions if they exists ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎04-08-2019 08:54 AM

You will need to turn on device sensor.

I would assume the other devices in AD have certs so would pass a rule if certificate auth permit? So if you sent other devices to a portal for BYOD they wouldn’t hit it?

Please look at http://cs.co/ise-byod and also WLC device sensor settings
https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-06-2019 07:51 PM

Hi

 

As per your first statement, you’re talking about WiFi

How people authenticates over your corporate ssid? Cert or credentials?

I’m asking because if everyone is authenticating using certs, then you can create a rule saying if someone authenticates using credentials (PEAP-MSCHAPv2), you can push an authorization profile with a url redirect to your BYOD portal.

 

I’ll wait for your answer to help you more.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-07-2019 03:44 AM

How are you authenticating your clients? Are you using Cisco wireless? If so have you enabled device sensor? You can check wireless best practices in the guides also include byod http://cs.co/ise-guides

You didn’t say what you wanted to happen to the other devices?

A simple example could be

If certificate auth then permit access
If wireless dot1x and registered then permit a different way
If wireless dot1x and mac OS X then redirect to byod NSP portal where user agent string is gleaned .

You can also setup your client provisions rules to only match on Mac OS X others are already permitted access perhaps because they have no matching rule?

0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to Jason Kunst

‎04-07-2019 04:42 AM

Hello :)

 

Thanks for tha answer

 

I am using wireless

 

There are to SSID "Corporate" and Guest

People are logging like that

 

"Corporate - SSID"

1. Windows AD users are using machine certificates EAP-TLS they get corporate vlan

2. Those corporate users who are using not authorized devices ( not AD machines) but are AD users use PEAP and get guest vlan

We have growing amount of users using mac book pro and want access to corporate vlan. Since the mac books are not in AD I was planing to on board them via BYOD via the same Corportate SSID (single SSID onboarding). But to match the policy they have to be profiled as mac books first. If there is a device which has never been recognized by ISE there is only radius request to begin with which will be not enought to match the mac book profile (Is this enough to enable accounting on WLC to send all information ISE needs to reconize a device as mac book? ) Mac book profile need eather DHCP ot http so that has to be triggered somehow.  Tell me if I am wrong ?

So the idea was to do something to help ISE to gather more information about the mac book first( give it some limited access) and then ones the device is profiled use CoA to reconnect to tha same SSID again and beging BOYD process.

(Is this enough to enable accounting on WLC to send all information ISE needs to reconize a device as mac book? )

If this is enough so It is accually very simple with PEAP + MaCBOOK PROFILE ---- NSP

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎04-08-2019 08:54 AM

You will need to turn on device sensor.

I would assume the other devices in AD have certs so would pass a rule if certificate auth permit? So if you sent other devices to a portal for BYOD they wouldn’t hit it?

Please look at http://cs.co/ise-byod and also WLC device sensor settings
https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

0 Helpful
Customers Also Viewed These Support Documents