10-24-2022 05:41 AM - edited 10-24-2022 05:46 AM
Good day,
How do I prevent corporate users from using their AD credentials on their BYOD devices joining the domain using Cisco ISE, there is a guest WIFI that they can use for free. Would appreciate input here as I am new to Cisco ISE.
Solved! Go to Solution.
10-24-2022 09:05 PM
If you require EAP-PEAP for endpoints other than the BYOD devices, then you will need to be a bit more strict during Authorization.
In practice, that means that if you have an ISE Wireless 802.1X Policy Set, you can add a condition for that during EAP-PEAP should use AD Authentication (if that's what you're using)
And for Authorization, Have a Rule that allows the endpoint if it's a member of Domain Computers.
Then check all remaining Authorization conditions and make sure that a user's creds will never pass authorization.
If you have some VIP employees, create an AD Group for them and make them a member of that group - then only those users can use their personal devices for BYOD.
EAP-PEAP is a quick and dirty way to get onto the network - but things start going wrong when employees change their password, and then forget to change it on the BYOD devices - often times this unintentional situation causes the AD user's account to be locked due to too many attempts. Be warned.
10-24-2022 07:09 AM
A couple of options:
10-24-2022 09:05 PM
If you require EAP-PEAP for endpoints other than the BYOD devices, then you will need to be a bit more strict during Authorization.
In practice, that means that if you have an ISE Wireless 802.1X Policy Set, you can add a condition for that during EAP-PEAP should use AD Authentication (if that's what you're using)
And for Authorization, Have a Rule that allows the endpoint if it's a member of Domain Computers.
Then check all remaining Authorization conditions and make sure that a user's creds will never pass authorization.
If you have some VIP employees, create an AD Group for them and make them a member of that group - then only those users can use their personal devices for BYOD.
EAP-PEAP is a quick and dirty way to get onto the network - but things start going wrong when employees change their password, and then forget to change it on the BYOD devices - often times this unintentional situation causes the AD user's account to be locked due to too many attempts. Be warned.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide