cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
411
Views
0
Helpful
1
Replies
Highlighted
Beginner

Group or condition for registred devices from "Device Registration Portal" (Guest Portal) ?

Hello,

We use Cisco ISE 1.2.0.899 on our network.

We've already set the Domain devices rules (AD), and it works correctly.
Now we work on the BYOD rules, and I've a question about the "Device Registration Portal" processes.

Can I create a group (Endpoint Identity Groups or others) or a condition (Simple/Compound Conditions or others), which will be automatically attribuated to all registred devices from "Device Registration Portal" (Guest Portal)?
Our objective is to created a basic rules inside Authorization Policy for all BYOD without OS distinction.

Currently, we've created a rule with the (built-in) Workstation group:
Identity Management > Groups > Endpoint Identity Groups > Profiled > Workstation

But I'm not sure that all registred devices are going to obtain the "Profiled" group or one of these sub-groups (Cisco-IP-Phone or Workstation)?
Can I choose and set the group or the condition that will be automatically attribuated to registred devices, or I have to use built-in groups inside "Endpoint Identity Groups"?

For information, currently when I registe a new device from "Device Registration Portal" (Guest Portal), by adding its MAC Address, this device is registred with the attributes:

BYODRegistration     Unknown
DeviceRegistrationStatus     NotRegistered
EndPointPolicy     Nortel-Device
EndPointProfilerServer     ...
EndPointSource     GUEST Portal
IdentityGroup     Profiled
MACAddress     ...
MatchedPolicy     Nortel-Device
OUI     Wistron InfoComm (Kunshan)Co
PolicyVersion     0
PortalUser     ...
StaticAssignment     false
StaticGroupAssignment     false
Total Certainty Factor     10
UpdateTime     1400874683250

after a new authentication the attributes change to:

BYODRegistration     Unknown
DeviceRegistrationStatus     NotRegistered
EndPointPolicy     Windows7-Workstation
EndPointProfilerServer     ...
EndPointSource     GUEST Portal
IdentityGroup     Workstation
MACAddress     ...
MatchedPolicy     Windows7-Workstation
OUI     Wistron InfoComm (Kunshan)Co
PolicyVersion     0
PortalUser     ...
StaticAssignment     false
StaticGroupAssignment     false
Total Certainty Factor     60
UpdateTime     1400875968919
User-Agent     Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Regards,
Chris

Everyone's tags (2)
1 REPLY 1
Cisco Employee

Hi Chris-I might be missing

Hi Chris-

I might be missing something or not fully understanding your question/requirements but you can definitely create a rule that is matching against the "registered" devices rather than the "profiled workstation" group. In your authorization policy you would just pick the "RegisteredDevices" group instead of the profiled one. 

Keep in mind that if you are using ISE 1.2 you can sort of combine both the "Registered Group" and profiling data. You can do that by creating a "Logical Profile" under Policy>Profiling > Logical Profiles. Then you can reference this in your authorization policy by choosing "Endpoints > LogicalProfile" = name_of_the_logical_profile. That way you can have different rules that are all based on "RegisteredDevices" but different based on the logical profile group. 

I hope this helps!

 

Thank you for rating useful posts!