Re: Cisco ISE filtering mobile devices.

Jordan Taylor · ‎11-03-2017

Hello to one and all.

Working on a project, need to restricted access to a network. end users that our domain joined, as well as mobile users, can access the network. i.e "users that have the Cisco any connect app" using AD credentials.

What would be best practice for restricting access for the mobile users?

MDM Server
CA Certs
GPO

These are some methods I have come across.

Any input in the would be greatly appreciated.

Marvin Rhoads · ‎11-03-2017

If you have an MDM that's the best option for restricting mobile device access. It does require ISE Apex licensing to integrate with your MDM (via API).

Mobile users on BYOD or remote corporate laptops won't normally be covered by your MDM (though I believe Meraki Systems Manager might do this).

GPOs of course only apply to domain machines. That said, it's pretty simple to check for domain membership in ISE.

Certificates for end users and machines work OK but if you don't have a CA it may be more than you want to take on to establish the whole PKI infrastructure internally.

Jordan Taylor · ‎11-06-2017

Thank you, Marvin, for your reply.

What would be the best solution devices that are not owned by a company, and are a BYOD?

This would be my main goal is how can I filter BYOD devices vs CORP. In a way where users are able to give some sort of "data", "MAC" or some kind of unique identifier for mobile devices, That I can filter on?

Thank you.

Marvin Rhoads · ‎11-06-2017

Well you start with looking for domain membership (remote laptops corporate-owned). They get one AuthZ policy result.

Then, if you have an MDM and Apex license, check for corporate mobile devices. They get another AuthZ result (or maybe the same one depending on your policy).

Anything that doesn't match one of the above gets a more restrictive AuthZ.