Great question...

You have to have something on the device to determine of its corp or personal. Putting users in a AD group doesn't fix this.

What can be used is certificates. A device owned by the corp can be installed with a cert. This is used to confirm that it's a corp device, because personal devices will not have the cert.

Mdm is in play also. Ise 1.2 will talk to the mdm and see if the device is enrolled in the mdm. If it is then it can be determined its controlled by the corp.



Sent from Cisco Technical Support iPhone App

George,

You are correct my assumption was that they only want to limit which users are able to provision corporate ipads through the supplicant provisioning portal. You can leverage AD groups so that users (administrators or authorized individuals) can reach the portal for provisioning).

You are also correct that MDM is a solution but that is not a feature that is able to fix the problem currently.

Thanks,

Sent from Cisco Technical Support iPad App

I think his question is clear. The users have AD accounts already and are getting on and he wants to stop their personal devices.

"

Users bringing personal iPad can also go through self registration process fine and are able to access corporate network. What is the best way to stop them?"

You cant do that with AD only. You need to have something on the device  or MDM..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Tarik-

We are using AD groups to keep the bad boys away. However here is a scenario where the user can connect his personal iPad to our network. For Eg: James is authorized to use corporate iPad and is a member of AD “iPad_Users”. Since he is the member of that group he can easily bring his personal iPad and connect to corporate network. Do you have a solution for this?

George-

I agree with you. Integrating iPad with MDM is the only hope. But when is Cisco going to support this? They have been taking about this for almost 6 months. We are already using Air Watch as our MDM server.

To me ISE is a dead investment because it is not solving any purpose or maybe I am missing something.

Ds

I dont think it is dead solution and here is why.

Your challenge is you trust the user but you may not trust his device (personal). There are other ways to skin this cat. Once the device is profiled you can provide limited access to that users iPad. For exmaple. User James logs into the network with is AD on his iPad, ISE sees his iPad and pushes down a named ACL that blocks his iPad to just a few apps and internet. Not exactly what you are looking for but is another option.

If you have a PKI you can provision a CERT on the device. This would have to be a manual process. Stinks i know ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Ds,

George is correct, however you can tie AD groups on denying or permitting access with ipads for users that are authorized. This does not answer your questions to only permitting corporate ipads, it does limit access to users authorized for access with ipads. However what are you referring to as self registration? Are you using the supplicant provisioning wizard or are you using the self registration portal for guests?

Also how many ipads are you currently using, and do you have the mac addresses information available through the MDM solution? If so you can import these into ISE and build an endpoint identity group so that only users with IPAD access coming through and iPAD with the mac addresses in the inventory can then access the network.

You can use the self provisioning portal and use SCEP to provision certificates for the ipad. Here you can tie in AD groups as to who is authorized to provision the ipads, either the user that it is assigned to or an individual that is designated to provision them.

Please provide some details about the current solution so we can help you.

Thanks,
Sent from Cisco Technical Support iPad App

+5 Tarlk

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

DS,

You could consider the approach of manually importing mac addresses from the airwatch database (excuse my ignorance I havent managed an MDM yet). If you can get a list of the mac addresses of provisioned ipads then the fix is simple and you can tie this into an endpoint identity group of the provisioned devices. This will hold you over till the full integration with 1.2 is supported and the expected release date is June (based on my answers from Cisco so this isnt official).

Thanks,
Tarik admani

Sent from Cisco Technical Support iPad App

Tarik-

I am using supplicant provisioning wizard and we are also using SCEP to provision certificates for iPads. We have 150+ corporate issued iPads.

The purpose of using ISE was to reduce our work, do thing efficiently and get away from MAC address filters which we are using currently. They are applied on the WLC’s. You solutions is again suggesting to rely on MAC addresses which I doing anyways without ISE. I just don’t see any value addition with ISE.

I am just frustrated with Cisco.

Hopefully we should hear from Cisco about ISE MDM solution.

Ds

Ds-

I can see your frustration, but MAC filtering on a WLC local DB was difficult and annoying to manage. Plus your adding on security on the layer 2 level by implementing 802.1x on top of mac filtering to authenticate a user. You could in essence do the same with a controlller with layer 2 mac filtering + Layer 3 webauth but that defeated the purpose as your allowing folks who can mac spoof onto your layer 2 network before layer 3 auth occurs.