Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1992
Views
0
Helpful
4
Replies

My Devices Maximum Number of Devices Enhancement?

Go to solution
Patrick Lloyd
Cisco Employee
Cisco Employee

‎03-09-2016 05:49 AM

I have a federal customer who is unable to use redirection ACL's for guests due to STIG requirements.  They would like to use My Devices instead with devices registered to their badging office and the ability for the badging office to create, delete, etc.  The problem with this is the limitation of 100 devices being the limitation in ISE 1.4 of the maximum number of devices a single user (badging officer) can enter.  Has there been any talk about increasing this to a larger number?  I know this isn't the typical use case, but could be useful for other customers who have this STIG requirement.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-09-2016 06:06 AM

So its against them to use redirect but its not a security issue if they are simply registering MAC addresses that can be easily spoofed?

No this has not been lifted and I am not sure if its the best scenario for what you're looking to do.  My Devices portal is for a specific person to register devices for themselves. Its not for an admin or lobby person to add devices for someone else.

What about sponsors creating guest accounts and having the users log in via dot1x? This can also be initiated through badge officer through an API call to the ISE Guest ERS API.

Or it seems you might be wanting to manually enter MAC addresses for the person visiting devices? This requires someone to find their mac address and provide it without messing up a digit. Right now the best integration would be to have the badging system reach out to the ERS API and register the MAC address into an endpoint group on ISE to be granted access via MAB.

Feature requests go to the ISE Product Marketing Team internally.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-09-2016 06:06 AM

So its against them to use redirect but its not a security issue if they are simply registering MAC addresses that can be easily spoofed?

No this has not been lifted and I am not sure if its the best scenario for what you're looking to do.  My Devices portal is for a specific person to register devices for themselves. Its not for an admin or lobby person to add devices for someone else.

What about sponsors creating guest accounts and having the users log in via dot1x? This can also be initiated through badge officer through an API call to the ISE Guest ERS API.

Or it seems you might be wanting to manually enter MAC addresses for the person visiting devices? This requires someone to find their mac address and provide it without messing up a digit. Right now the best integration would be to have the badging system reach out to the ERS API and register the MAC address into an endpoint group on ISE to be granted access via MAB.

Feature requests go to the ISE Product Marketing Team internally.

0 Helpful

Go to solution
Patrick Lloyd
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-09-2016 06:28 AM

Hi Jason,

Thanks for the input here. The biggest issue that the customer runs

into is that STIG denotes they can not use a redirection ACL at all. As

you know, with any guest portal that they're using, they would need to

use the CWA or LWA functionalities, both against federal STIG

requirements. They don't really have an appetite to use the API's for

entering MAC addresses, as they don't have developers in house and would

need to do all of that themselves. So the workaround that they looked

into was using My Devices to add users to a whitelist, in a guest

container that it was configured to put the devices into.

Understood that this isn't the best solution and there's a lot of

"buts", but at the same time, their hands are tied from federal

mandates. Is there another better solution that wouldn't use

redirection whatsoever?

Thanks for your help!

-- Patrick

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Patrick Lloyd

‎03-09-2016 06:32 AM

yes what about creating guests accounts via the sponsor portal and having them connect using dot1x? There is no redirect and this is more secure than straight MAB which can be spoofed.

If this is not an option please summarize the issues in the discussion and get me the opportunity info and I will get you in touch with the PMs on this matter

0 Helpful

Go to solution
Patrick Lloyd
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-09-2016 06:53 AM

Hi Jason,

Thanks again.  The limitation that the customer has brought up about

dot1x is that implies configuring the dot1x supplication on their

machine, which may not be possible due to most government entities

locking down admin rights on machines, i.e. not giving it to the average

user.  They're, for the moment, going to use multiple employee accounts

to give access, at least for their pilot phase and then reevaluate.  It

might be best that I put in an enhancement request for this, if we can

copy in the PM's that would be best. Not sure how that works in this new

community system, whether it is just shared with them, or otherwise.

0 Helpful
Customers Also Viewed These Support Documents