Lab Minutes Forum
Technical Discussion => Security => Topic started by: renton2001 on November 29, 2013, 12:38:25 PM
-
Hi
There is a way to restrict a SSID to smarthphone only with ACS 5.4?
Thank you
-
Since ACS does not support device profiling, there is not really a way to build the authorization policy based on the device type like ISE. The best you can do is probably restrict base on MAC addresses but that might not be practical and susceptible to AMC spoofing.
-
I'm using acs 5.5. I know I can not do profiling in acs, but what about checking for a cert?
I have a byod environment for VIP users which used Ad credentials and a filter for the ssid of that network. my problem is since they are using their Ad credentials to authenticate, I need to allow them to use company assets on the trusted network but disallow personal device on the inside network. Was wondering if there was a fied in AD I could use for checking if it is a domain device or not.
-
I'm using acs 5.5. I know I can not do profiling in acs, but what about checking for a cert?
I have a byod environment for VIP users which used Ad credentials and a filter for the ssid of that network. my problem is since they are using their Ad credentials to authenticate, I need to allow them to use company assets on the trusted network but disallow personal device on the inside network. Was wondering if there was a fied in AD I could use for checking if it is a domain device or not.
If the devices are Windows computers, you can use PEAP with machine authentication to check for domain computer. Anything else other than that, you are pretty much limited to using certificate. Hopefully you have a MDM platform in place to allow device onboarding and certificate distribution.