Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
10
Helpful
2
Replies

Prevent Mobile Phones from Joining Corp WIFI with AD Credentials

Go to solution
alfred
Level 1
Level 1

‎10-24-2022 05:41 AM - edited ‎10-24-2022 05:46 AM

Good day,

How do I prevent corporate users from using their AD credentials on their BYOD devices joining the domain using Cisco ISE, there is a guest WIFI that they can use for free.  Would appreciate input here as I am new to Cisco ISE.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-24-2022 09:05 PM

If you require EAP-PEAP for endpoints other than the BYOD devices, then you will need to be a bit more strict during Authorization.

In practice, that means that if you have an ISE Wireless 802.1X Policy Set, you can add a condition for that during EAP-PEAP should use AD Authentication (if that's what you're using)

And for Authorization, Have a Rule that allows the endpoint if it's a member of Domain Computers.

Then check all remaining Authorization conditions and make sure that a user's creds will never pass authorization. 

If you have some VIP employees, create an AD Group for them and make them a member of that group - then only those users can use their personal devices for BYOD.

EAP-PEAP is a quick and dirty way to get onto the network - but things start going wrong when employees change their password, and then forget to change it on the BYOD devices - often times this unintentional situation causes the AD user's account to be locked due to too many attempts. Be warned.

View solution in original post

2 Replies 2

Go to solution
ahollifield
VIP
VIP

‎10-24-2022 07:09 AM

A couple of options:

  • (best and most secure way) Switch to EAP-TLS using certificates and don't use username/passwords at all.  Disable PEAP at the allowed protocol level.
  • Use computer authentication only (not user).  Device must auth using its machine account.
  • Use profiling to only allow certain device types. 

Go to solution
Arne Bier
VIP
VIP

‎10-24-2022 09:05 PM

If you require EAP-PEAP for endpoints other than the BYOD devices, then you will need to be a bit more strict during Authorization.

In practice, that means that if you have an ISE Wireless 802.1X Policy Set, you can add a condition for that during EAP-PEAP should use AD Authentication (if that's what you're using)

And for Authorization, Have a Rule that allows the endpoint if it's a member of Domain Computers.

Then check all remaining Authorization conditions and make sure that a user's creds will never pass authorization. 

If you have some VIP employees, create an AD Group for them and make them a member of that group - then only those users can use their personal devices for BYOD.

EAP-PEAP is a quick and dirty way to get onto the network - but things start going wrong when employees change their password, and then forget to change it on the BYOD devices - often times this unintentional situation causes the AD user's account to be locked due to too many attempts. Be warned.

Customers Also Viewed These Support Documents