Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
3
Replies

ISE 1.2: Employee with personal device registration

Go to solution
ebelConsult
Level 1
Level 1

‎09-03-2014 02:01 AM - edited ‎03-10-2019 09:59 PM

Hi experts,
I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166

but looking for a detailed configuration to get following to work:
Employee's have access to the network with their corporate devices. No problem
Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
Does anyone have a detailed configuration or link how to achieve that?

Thanks,

Frank


 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-03-2014 08:47 AM

Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html

If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
ebelConsult
Level 1
Level 1
In response to nspasov

‎09-03-2014 01:13 PM

Hi Neno,

thanks for taking the time to answer. (Un) fortunately a PKI/certificates is not an option at the moment.

I like your second suggestion but the idea Mohana refered via the link
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Use_Cases.pdf to seems to be even easier.

Starting from page 18-4 the example shows a very simple way to achieve my goal with minimum configuration effort. One of  the major drawbacks I can see in this example is that an emplyee could us this AuthZ for access with a corporate device too.  

 

Thanks,

 

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents