Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Network Restriction for Non Company Machines

Dear All,

I wonder if anyone has already worked on something  similar to the following and could point me in the right direction for  documents to read and things to bare in mind.

We have many small remote offices as well as our main  HQ where we "hear" about people using their own devices on our wired  network. Currently we do not wish to have BYOD on our network and want a  method where we can restrict wired network access only to company  machines.

We are not currently pursuing a more complex  NAC solution of checking virus updates etc, but rather an on/off  solution, i.e. company machine gains access, non company machine can't  gain access.

One issue we have is we don't really want  to go down the port security road with configured MAC's on switch ports  as we have many areas that can be used for "hot desking"

Would appreciate any info relating to the above.

Many thanks in advance,



Funny you said that because I am building the same solution as you.  My initial deployment is "restrict wired network access only to company  machines".  I just finish my testing with this and it is not difficult at all.

That is relatively simple to deploy.. Here is what I would do if I were you, if you want a redundant solution:

1- have a Windows 2008R2 active directory in your environment,

2- purchase 4 ISE appliances ISE1, ISE2, ISE3 and ISE4.  Depending on the size of your company, it is either ISE 3315 and 3395,  ISE1 will be Primary admin & Secondary Monitoring.  ISE2 will be Secondary admin and Primary Monitoring.  ISE3 and IS4 will be Policy Service,

3- Integrate ISE with your Active Directory,

4- Configure your switch to talk to ISE but setup your switch only in "monitor" mode for a few weeks so that you know which devices on the network can support 802.1x and which can not.  printers usually can not do 802.1x so will need to put them in Mac Address Bypass (MAB).

5- Turn on Windows Supplicant "Wired Config" Service and enable the default 802.1x,  The default is "user or machine authentication", that will work

6- Setup Authentication and Authorization rules in ISE,

7- Now login into a Windows 7 machine that is connected to a switchport configure for 802.1x in "monitor" mode and you will see successful for "machine" authetication first and then "user" authentication after that, assuming you have everything configure correctly.

8- Once you decide to go "close" mode or so called "high impact" mode, you will configure the switch not connect any non-corporate that are not both "machine" and "user" authenticated.

That is a high level but that's what I've done so far.

Hi David,

Many thanks for the information, it's definitely something I'll investigate further.

Kind regards,


Content for Community-Ad