03-22-2022 05:39 AM
how we can add an exception to ISE when a tablet(not domain joined) could access corporate WIFI? Using eap peap.
This is very urgent for me if anyone can send me setup
03-22-2022 07:30 AM
how is your authentication, in this case you need to do MAB Authentication.
03-22-2022 07:33 AM
Plz tell me anyone which i can implement easily
03-22-2022 07:48 AM
We want to use Samsung tablet, iPhone, TV with that corporate SSID plz suggest any good configuration. I heard about BYOD but don know the concept.
Can we this this BYOD for all non domain devices ?
03-22-2022 08:10 AM - edited 03-22-2022 08:11 AM
not sure what WLC and what Radius you using : here is latest Cat9800 controller config :
If you looking webauth :
03-22-2022 08:14 AM
If I talk about wlc using legacy devices 4400 wlc with 7.2 or 7.0 version.
Radius i am using Cisco ise with 3.0 version.
Now plz let me know what options are available to complete the setup
03-22-2022 08:57 AM
7.2 is too old for me, but the above mentioned URL still valid for you to deploy and test it.
(if you are not sure, then we suggest to hire a consultant who can integrate for you)
03-24-2022 07:18 AM
Hello Team,
I am using single said corporate SSID for corporate device which has been joining domain and using eap peap. With same SSID i want to connect some samsung tablet which are not domain joined devices.here i am thinking below steps could you plz help me if i am thinking correct or not.
_---------------------------
if you have a domain joined laptop with AD user.
Laptop tries to join corp SSID.
WLC send the request to ISE to check
ISE checks that the laptop is domain joined perfect
then ISE checks if the AD user is valid
then ISE authenticate the user and he has access to the internal network + internet
correct?
-------------------------
now you have a tablet which is not domain joined but has AD user
tablet tries to join corp SSID
WLC send the request to ISE to check
ISE checks that the laptop is not domain joined and not allow the access to internal network + internet
correct?
-----------------------------------------------------
and now, you add OR Condition to ISE where it checks if the device is domain join
so
condition will be:
Is device domain joined or is device mac address from the list?
Yes - allow, no- deny
ow you have a tablet which is not domain joined but has AD user
tablet tries to join corp SSID
WLC send the request to ISE to check
ISE checks that the tab is not domain joined, but the MAC address is on the list -> allow
then ISE checks if the AD user is valid
then ISE authenticate the user and he has access to the internal network + internet.
-----------------------------
-----------------------------------------------------------------
over the wlc i have configured [WPA2][Auth(802.1X)] for the corp ssid.
----------------------
if my understanding is correct
because here i am using same corp ssid for both devices which are domain joined and some are not domain joined but making some policy over the cisco ISE for mac addressess
03-24-2022 04:53 PM
unless you are using AnyConnect or EAP-TEAP your not going to be able to check both machine and user credentials. As you need eap chaining to do two different authentications.
Would suggest:
EAP-TLS (User certificates deployed via Group Policy to laptops) - these get corp access
EAP-PEAP (users with the BYOD user group) get access to BYOD
You could potentially look at other RADIUS attributes that a corporate device provides and see if one of them is able to be used in the policy, but i havent seen that work well before
03-23-2022 02:41 AM
My corporate laptop is using one corporate SSID. Using eap peap
Can I make any policy over Cisco ise to allow some non domain device mac address who want to connect our this corporate SSID?
Any other option plz let me know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide