09-09-2013 10:16 AM - edited 03-10-2019 08:52 PM
Hello,
I'm trying to build a BYOD policy in ISE 1.2. I would like ISE to get machine attributes as part of the authorization policy. Can this be done? I'm not talking about machine authentication. I need something that could be checked at anytime.
Thanks for any help!
09-09-2013 11:17 AM
Not sure what you mean by machine attributes, are you talking about hardware settings on some device , or attributes on a machine account in windows active directory ?
09-09-2013 11:21 AM
Something I can use on computers to differentiate a corporate asset from a BYOD asset.
09-09-2013 01:52 PM
Well, if you are using your regular internal CA to issue certs for corp. assets, and another CA for BYOD via ISE provisioning for example, you can use elements from your devices cert in authorization rules.
Something like :
Corp cert issuer=internalca.corp.local
Byod cert issuer=byod.whatever.local
Jan
09-09-2013 03:24 PM
The devices are using PEAP
09-10-2013 01:18 AM
I have seen in ISE 1.2 configuration guide that we can do the Machine authentication using AD, and once the Machine authenticate and authorised, profiling may happen and we can see the attributes: Please check the below link:
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wp1062522
09-10-2013 02:55 AM
HEllo,
Cisco ISE retrieves user or machine attributes from Active Directory for use in authorization policy rules. These attributes are mapped to Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE performs user and group membership lookups via LDAP to an Active Directory. Group membership is used to map sponsor users to the corresponding sponsor group in ISE. And if the user is not directly in an Active Directory group, but is a member of a group that is a member of the Active Directory group (nested groups), the user authorization is rejected.
User authentication on an authorization policy fails if the rule contains an Active Directory group name with special characters such as /!@\#$%^&*()_+~
you can also follow the below link_
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_authz_polprfls.html#wp1205205
09-11-2013 09:35 AM
Please check the below link.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_id_stores.html#wpxref41479
09-18-2013 05:39 PM
Step 1Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2Click the Attributes tab.
Step 3Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to choose a list of attributes from the directory.
NoteWhen you enter an example user name, ensure that you choose a user from the Active Directory domain to which the Cisco ISE is connected.When you choose an example machine to obtain machine attributes, be sure to prefix the machine name with “host/.” For example, you might use host/myhost.
Step 4Enter a name for a new attribute if you choose to add an attribute.
Step 5Check the check boxes next to the attributes from Active Directory that you want to select, and click OK.
Step 6Click Save Configuration.If you choose to add attributes from directory, enter the name of a user in the Example User field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter admin to obtain a list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: