cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1894
Views
0
Helpful
3
Replies

Cisco ISE filtering mobile devices.

Jordan Taylor
Level 1
Level 1

Hello to one and all. 

 

Working on a project, need to restricted access to a network. end users that our domain joined, as well as mobile users, can access the network.  i.e "users that have the Cisco any connect app" using AD credentials. 

What would be best practice for restricting access for the mobile users?

 

  • MDM Server 
  • CA Certs 
  • GPO 

These are some methods I have come across. 

 

Any input in the would be greatly appreciated.

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

If you have an MDM that's the best option for restricting mobile device access. It does require ISE Apex licensing to integrate with your MDM (via API).

 

Mobile users on BYOD or remote corporate laptops won't normally be covered by your MDM (though I believe Meraki Systems Manager might do this).

 

GPOs of course only apply to domain machines. That said, it's pretty simple to check for domain membership in ISE.

 

Certificates for end users and machines work OK but if you don't have a CA it may be more than you want to take on to establish the whole PKI infrastructure internally.

Thank you, Marvin, for your reply. 

 

What would be the best solution devices that are not owned by a company, and are a BYOD?

This would be my main goal is how can I filter BYOD devices vs  CORP. In a way where users are able to give some sort of "data", "MAC" or some kind of unique identifier for mobile devices, That I can filter on?

 

Thank you. 

Well you start with looking for domain membership (remote laptops corporate-owned). They get one AuthZ policy result.

 

Then, if you have an MDM and Apex license, check for corporate mobile devices. They get another AuthZ result (or maybe the same one depending on your policy).

 

Anything that doesn't match one of the above gets a more restrictive AuthZ.

Review Cisco Networking for a $25 gift card