collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Non-BYOD onboarding possible  (Read 25811 times)

Offline bberry

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
  • Certification: CCNA
Non-BYOD onboarding possible
« on: May 06, 2015, 07:53:43 AM »
Hello all,

We are a new user of ISE and have been taking baby steps as we learn how things are configured and work. We have been using the sponsor portal for our guest users for a while and are preparing to pull the corporate access into the fold. Our pilot has been going well and other than a few issues that have arise since we upgraded to 1.3 things have been mostly good.

Our policies have been setup so that an endpoint identity group with the device MAC address is checked as part of the authorization policy to better guarantee the device has access to network resources rather than just rely on user information. I imported the MAC addresses from our LANSweeper server that collects device data in bulk form to get things started and usually one by one manually add additional MAC addresses as needed. I then repeat the import on a routine basis to capture any new assets as a preemptive measure to them connecting through ISE. We have endpoint identity groups for corporate assets, registered personal assets and then our vendor assets to verify what networks they connect to and receive their associated DACLs.

I am wondering if there is a way to automate this process similar to a BYOD process that the help desk could utilize to update the identity group or a way to give them rights to modify the groups without having full rights to the ISE cluster.

Brent

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Non-BYOD onboarding possible
« Reply #1 on: May 06, 2015, 09:54:31 PM »
I assuming these devices are non-user devices, otherwise they should be authenticated via regular 802.1x using PEAP or EAP-TLS. Other than using device profiling which will sort devices by their types, I am afraid it will be a manual process to group device. Technically ISE should have all device information (eg. MAC address) as they try to connect to network (via MAB) without you having to manually import MAC addresses. You just then need to provide your support team enough access to assign those devices to appropriate Endpoint Identity Group.

Offline bberry

  • Cisco Newbie
  • *
  • Posts: 5
  • Reputation: 0
  • Certification: CCNA
Re: Non-BYOD onboarding possible
« Reply #2 on: May 07, 2015, 06:16:40 AM »
These systems are user devices. What management required was that only known / registered devices get connected to the network. This prevents even the corporate user from any device they want to the network using just a username and password with 802.1x. The policy is written to check the Corporate Assets Group and the AD group for corporate access. A different policy is written to check the Personal Assets group and the AD group for accessing limited resources with the personal device. That is when we came up with the Endpoint Identity Group but the issue now comes up with how to maintain the groups by other than the two of us that are setting up and maintaining the ISE system.

I did not know if something like the BYOD on boarding process could be setup to allow the help desk folks to get the system into the system and place the device directly into the appropriate Identity Group or go after the fact and add the MAC address to the Identity Group. Management wants to keep the access control out of the end users hands because of past issues with internet access from cell phones and personal laptops.

 Modifying the Endpoint Identity Group is basically what I do now. I get the notification after the user has attempted to connect so the system knows the MAC address so I simply go add it to the proper identity group. If the user has not attempted at least once to connect then I am unable to add the MAC address. It is as if the system does a search as part of the add process. I have seen no other way other than am import to get a single MAC address into the system from scratch.

I am also trying to find a way to search for  MAC address and determine what Endpoint Identity Group it may already be in.

Brent

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: Non-BYOD onboarding possible
« Reply #3 on: May 11, 2015, 07:38:07 PM »
Let's divide this into two separate cases; corporate and non-corporate assets.
For corporate assets,
 1. Windows domain computers can be validated via machine auth, and then you also have user auth
 2.  Non-Windows devices can either be validated via certificate (preferred) or white-listing MAC address. User auth can be performed normally in additional if the device supports it.
For Personal assets,
 If you have a lot of devices, the best way to manage is to use MDM. You can get users to register to your MDM before they allow network access. Your support team then have control over this is, for example, manually issuing registration code, or perform manual registration approval depending on MDM vendor. Once registered, the device can be registered user-based certificate which can be use to authenticate to network.

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
22356 Views
Last post March 17, 2014, 09:55:04 PM
by MC
1 Replies
31120 Views
Last post May 21, 2014, 07:53:57 AM
by MC
3 Replies
67874 Views
Last post June 19, 2015, 10:01:35 PM
by MC
10 Replies
38353 Views
Last post January 05, 2016, 10:26:35 PM
by MC
0 Replies
38062 Views
Last post January 31, 2018, 02:16:19 PM
by tomimma

SimplePortal 2.3.7 © 2008-2024, SimplePortal