Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco ISE version 1.2 (corporate owned)

Hi Guys,

We are deploying Cisco ISE with version 1.2, one of  our requirement is to identify the corporate and personally owned  devices. Is there a feature in ISE with this requirement? Thanks.

2 REPLIES
Bronze

Cisco ISE version 1.2 (corporate owned)

The Cisco ISE platform is a comprehensive, next-generation, contextually-based access control solution. It offers authenticated network access, profiling, posture, BYOD device onboarding (native supplicant and certificate provisioning), guest management, and security group access services along with monitoring, reporting, and troubleshooting capabilities on a single physical or virtual appliance. Cisco ISE is available on two physical appliances with different performance characterization, and also as a software that can be run on a VMware server. You can add more appliances to a deployment for performance, scale, and resiliency.

Cisco ISE has a scalable architecture that supports standalone and distributed deployments, but with centralized configuration and management. It also allows for configuration and management of distinct personas and services. This feature gives you the ability to create and apply services where they are needed in the network, but still operate the Cisco ISE deployment as a complete and coordinated system.

For More information please visit:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_overview.html

Cisco Employee

Cisco ISE version 1.2 (corporate owned)

To identify a device as a corporate or non-corporate device requires something, say a credential, which is locked to that

particular device. While common wisdom suggests attaching a certificate to a non-corporate device, the more logical choice is to lock a credential to the corporate device and assume all other devices are non-corporate devices.

One solution is EAP Chaining which uses a machine certificate or a machine username / password locked to the device

through the Microsoft domain enrollment process. When the device boots, it is

authenticated to the network using 802.1X.

When the user logs onto the device, the session information from the machine authentication and the user credentials are sentup to the network as part of the same user authentication. The combination of the two i

ndicates that the device belongs to the

corporation and the user is an employee.

If the device is not a member of the domain, then the machine authentication fails and the device is not a corporate device. If the device does not support EAP Chaining, then

the device is also not a corporate device. In either case, the result would be

to treat these devices differently than the corporate device. That could be limited access for employee owned devices and outto the Internet for non-employee devices depending

on corporate policy

276
Views
0
Helpful
2
Replies
CreatePlease to create content