Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
0
Helpful
5
Replies

Cisco ISE 2.2 Profiling with BYOD together

ivan.martin
Level 1
Level 1

‎10-04-2017 10:37 AM - edited ‎02-21-2020 10:35 AM

Hi I'm Ivan

I have a question

Does it is possible join both technologies in one process or 2 proceess using policy to authenticate and authorize, BYOD and Profiling?

I would like to analyze BYOD together with Profiling to enforcement the access of my users when they try access using BYOD with an smartphone android or apple. I would like to enforcement that with Profiling to Apple or Android

Please can you help me with any documentacion or link?

Regards.

Ivan.

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎10-04-2017 08:15 PM

Hi

You can enroll your devices first and then when the device is connecting to the network you can user the profiling took apply different authorization Profil.

Is that what you meant?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ivan.martin
Level 1
Level 1
In response to Francesco Molino

‎10-04-2017 08:19 PM

Hi, thanks you for the answer. I would like to join Dot1X + BYOD + Profiling with authen and author policies.

How can i do it?

Regards.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to ivan.martin

‎10-04-2017 08:29 PM

You want to do dot1x (byod) and profiling after the enrollment process right?

If yes, you'll need to go to profiling elements and select your profiles device group and check the box create group.
Then on your policy-set, like any other authorization rules, you'll create a rule saying if device type is Apple-iPhone and user member of specific AD group, the result would be iPhone-Authorization-Profile and so forth for all your profiled devices.

Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ivan.martin
Level 1
Level 1
In response to Francesco Molino

‎10-04-2017 08:50 PM

Hi.

But i don't understand the following.

If the policy to authenticate byod services for apple says: EAP TLS with Certificate Auth Profile, and Profiling to authenticate use MAB services for internal identity store (it was created when i configure profiling policy), how can exist both dot1x and MAB?

Regards

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to ivan.martin

‎10-05-2017 06:37 AM

Hi

 

Profiling doesn't mean MAB. Profiling is based on multiple probe source like dhcp, dns, http, netflow....

 

Then, when your device is authenticating in dot1x, it will go through the authentication process and then move to the authorization process, right. In that authorization, no matter if it's dot1x or MAB, you can define policies based on a profil group device.

 

In conclusion, profiling will be used mainly in the authorization rules nothing related with MAB or dot1x that are part of Authentication rules. On ISE, on the policy-set, the authentication is done on the 1st half part of the page while authorization is the 2nd half part of page and it will be in this section where you gonna use profiling groups.

 

Is it more clear?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents