cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1913
Views
12
Helpful
20
Replies
Highlighted
Beginner

Re: VPN ISE - corporate devices

Edon, when you have a chance, can you elaborate on what those technologies mean?

Thanks in advance!

Highlighted
Enthusiast

Re: VPN ISE - corporate devices

To identify corporate assets I used AD probe, here is a link from Katherine: http://www.network-node.com/blog/2017/2/19/17-the-active-directory-probe she has some great material there. This only works for windows, for macOS my company uses Airwatch to manage macOS, so I integrated that.

Highlighted
Beginner

Re: VPN ISE - corporate devices

Could you show a screenshot of the AuthZ policy?

This is what I currently have:

Screen Shot 2017-08-25 at 3.36.21 PM.png

I'm guessing I'll need another line that is like... Endpoints:LogicalProfile NOT-EQUALS to AD-Joined-Logical, that sends non-company machines to a different profile.

I'm guessing I'll also need to add some logic so MAC's get excluded from this.

Any good links or explanations on how the MDM works???

Highlighted
Enthusiast

Re: VPN ISE - corporate devices

First off, your company would need to have some kind of MDM. here's a link for an example, she has a bit more on it, like BYOD and stuff. I've created a policy where it only checks if the device is in MDM (mobile device management - but we manage our MAC devices with it too) Example is Airwatch.

Highlighted
Beginner

Re: VPN ISE - corporate devices

We use JAMF for the MAC side management. I'd be interested in to see how you integrated ISE with your MDM to check it's device inventory.

Did you have separate AuthZ policies for Windows and MAC?

The way I envision it is something like....

---------------------------------

OS=Windows

AND

Endpoints:LogicalProfile EQUALS to AD-Joined


Then assign a compliant profile.

---------------------------------

---------------------------------

OS=Windows

AND

Endpoints:LogicalProfile NOT-EQUALS to AD-Joined


Then assign a non-compliant profile.

---------------------------------

---------------------------------

OS=MAC

AND

Exists-in-MDM = TRUE


Then assign a compliant profile.

---------------------------------

---------------------------------

OS=MAC

AND

Exists-in-MDM NOT-EQUALS TRUE


Then assign a non-compliant profile.

---------------------------------

Highlighted
Enthusiast

Re: VPN ISE - corporate devices

Yes, but could be done more simple:
Endpoints:LogicalProfile EQUALS to AD-Joined = compliant-windows (macOS wont match this policy)
Exists-in-MDM = TRUE = compliant MAC  (windows wont match this policy)
all else = non-compliant profile
Looks like JAMF is supported by ISE:
https://www.cisco.com/c/m/en_us/products/security/technical-alliance-partners.html the way it works is that ISE accesses the MDM api, here's a thread: https://www.jamf.com/jamf-nation/discussions/22145/cisco-ise-2-1-integration LEt me know once you get api access (create a local account on JAMF that has API access), then add it from Administration - network resources - external MDM