Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
4
Replies

Time of Day per User Application Restriction

Go to solution
Jason Tyler
Cisco Employee
Cisco Employee

‎03-24-2017 01:31 PM

For Customer RFP response - A customer would like to authenticate wireless users - which may be on laptops or smart devices (ipad/iphone and similar) and apply an AVC profile to a flexconnect wireless client.

But for certain times of the day, then restrict the users only to certain applications.

The example being schools.

During lesson time they want to allow to application for classroom use and block internet, but during breaks, potentially allow internet and other applications, but then restrict when back in class sessions again.

Is there an easy method within ISE to achieve this?

If you authenticate and have AAA override with AVC profiles pushed to clients, then would you need to force a re-auth, in-order for any new avc profiles to be pushed for different times of day?

Or, would you need to have a constant posture assessment on to evaluate client devices an allow apps?

Or, could you allow applications on a per location basis - therefore, if in classroom, allow app's x,y,z or if not in classroom allow apps a,b,c ? - assume you would need pretty good location capability for this?

open to any suggestions of a good approach.

Many thanks,

Jason

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jason Tyler

‎03-24-2017 01:46 PM

ISE can’t control the app usage time, like Hsing said that would be MDM possibly.

But we can control access to the resources in the network. Either by time in the authz rules or location (with MSE 8 integration). You could assign a tag to the permissions and restrict using WSA policy what internet sites. This tag could also restrict at the datacenter as well. This would be SGT (trustsec) tagging

This could also be done with ACL or VLAN on the internal networks.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-24-2017 01:34 PM

Are the applications actual apps on the device or are they applications they access in the internal environment?

Meaning if we blocked internet in the network (using authz rules) and allowed internal site access while in the classroom would this work?

Or they want to restrict actual apps from usage on the Mobile devices?

0 Helpful

Go to solution
Jason Tyler
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-24-2017 01:38 PM

I believe that there could be a combination of both.

So, for example, they may wish to block youtube, for example, during lesson time, but allow during breaks.

But also, allow access to apps on the devices themselves whilst in class, but not when during break.

Apologies I cannot give you more information as yet, as this was a very quick question during an RFP conversation.

Many thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jason Tyler

‎03-24-2017 01:46 PM

ISE can’t control the app usage time, like Hsing said that would be MDM possibly.

But we can control access to the resources in the network. Either by time in the authz rules or location (with MSE 8 integration). You could assign a tag to the permissions and restrict using WSA policy what internet sites. This tag could also restrict at the datacenter as well. This would be SGT (trustsec) tagging

This could also be done with ACL or VLAN on the internal networks.

0 Helpful

Go to solution
Jason Tyler
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-24-2017 01:51 PM

No Problems Jason, this is as i suspected, but just wanted to confirm.

Many thanks,

j

0 Helpful
Customers Also Viewed These Support Documents