03-24-2017 01:31 PM
For Customer RFP response - A customer would like to authenticate wireless users - which may be on laptops or smart devices (ipad/iphone and similar) and apply an AVC profile to a flexconnect wireless client.
But for certain times of the day, then restrict the users only to certain applications.
The example being schools.
During lesson time they want to allow to application for classroom use and block internet, but during breaks, potentially allow internet and other applications, but then restrict when back in class sessions again.
Is there an easy method within ISE to achieve this?
If you authenticate and have AAA override with AVC profiles pushed to clients, then would you need to force a re-auth, in-order for any new avc profiles to be pushed for different times of day?
Or, would you need to have a constant posture assessment on to evaluate client devices an allow apps?
Or, could you allow applications on a per location basis - therefore, if in classroom, allow app's x,y,z or if not in classroom allow apps a,b,c ? - assume you would need pretty good location capability for this?
open to any suggestions of a good approach.
Many thanks,
Jason
Solved! Go to Solution.
03-24-2017 01:46 PM
ISE can’t control the app usage time, like Hsing said that would be MDM possibly.
But we can control access to the resources in the network. Either by time in the authz rules or location (with MSE 8 integration). You could assign a tag to the permissions and restrict using WSA policy what internet sites. This tag could also restrict at the datacenter as well. This would be SGT (trustsec) tagging
This could also be done with ACL or VLAN on the internal networks.
03-24-2017 01:34 PM
Are the applications actual apps on the device or are they applications they access in the internal environment?
Meaning if we blocked internet in the network (using authz rules) and allowed internal site access while in the classroom would this work?
Or they want to restrict actual apps from usage on the Mobile devices?
03-24-2017 01:38 PM
I believe that there could be a combination of both.
So, for example, they may wish to block youtube, for example, during lesson time, but allow during breaks.
But also, allow access to apps on the devices themselves whilst in class, but not when during break.
Apologies I cannot give you more information as yet, as this was a very quick question during an RFP conversation.
Many thanks
03-24-2017 01:46 PM
ISE can’t control the app usage time, like Hsing said that would be MDM possibly.
But we can control access to the resources in the network. Either by time in the authz rules or location (with MSE 8 integration). You could assign a tag to the permissions and restrict using WSA policy what internet sites. This tag could also restrict at the datacenter as well. This would be SGT (trustsec) tagging
This could also be done with ACL or VLAN on the internal networks.
03-24-2017 01:51 PM
No Problems Jason, this is as i suspected, but just wanted to confirm.
Many thanks,
j
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide