Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
1
Helpful
5
Replies

Wifi access depending on Endpoint name

Daniel-Clark
Level 1
Level 1

‎08-15-2025 03:35 AM - edited ‎08-15-2025 04:03 AM

Hi all.

Im sure this will be a simple one to answer. Using ISE 3.2 to authenticate users on wifi. Setting up a new policy for iphones/ipads for corporate users. We want them to not be able to connect to this SSID with a personal device. We will be using 802.1x, with AD authetication so users log in with their own credentials, and this is all working fine.

Trying to add an additional condition of saying "Only allow the user to connect if their iphone name contains XXX" but cant seem to be able to do this. We have everything else setup in terms of certificates (The devices auto trust the certificate so a bit pointless!), usernames etc but you can connect personal phones to the SSID and want to limit this to only our corporate devices

Any help and advice gratefully received

5 Replies 5

Rob Ingram
VIP
VIP

‎08-15-2025 03:40 AM - edited ‎08-15-2025 04:46 AM

@Daniel-Clark perhaps use Username CONTAINS XXX in an authorisation policy rule, i.e., -

RobIngram_0-1755254326815.png

Or if using username/password, match on the AD group the devices are a member of.

Or perhaps there is another unique attribute in the user's account attribute/certificate that can distinguish between the devices? 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-15-2025 03:59 AM

if you use WLC 9800 then try use iPSK 
MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-15-2025 04:04 AM

if you dont use WLC 9800 
try add phone username/password to different internal identity store 
then in Authz match this internal identity 
MHM

0 Helpful

Torbjørn
VIP
VIP

‎08-15-2025 05:31 AM

Hello @Daniel-Clark ,

I think the best way to solve this is to authenticate corporate devices by machine certificate pushed from MDM/through group policy. This is a far stronger method of authentication than authenticating by device name + AD credentials. See the following configuration guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎08-15-2025 06:21 AM

So, for what you want to do, I really don't know of a way other than what Torbjørn mentioned and use an MDM. 

I'm not sure the scale you are on, so there are some things you could do, but a lot of manual work. Such as making a group of just the MAC addresses of the devices, but with random MAC and such can be a pain.

 

Couple questions to ask before making it a lot of work for yourself. Do these iPhones/iPads get internal access, and if so why? and if they don't, then do you care if they connect a personal device?

I was looking through mine and even though you can get profiling with DHCP, I can't find the device name picked up. So I don't see anything for an option by device name.

0 Helpful
Customers Also Viewed These Support Documents