Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2: Employee with personal device registration

Hi experts,
I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166

but looking for a detailed configuration to get following to work:
Employee's have access to the network with their corporate devices. No problem
Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
Does anyone have a detailed configuration or link how to achieve that?

Thanks,

Frank


 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Please refer the link :http:/

3 REPLIES
Cisco Employee

Please refer the link :http:/

Cisco Employee

Having BYOD access be based

Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html

If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hi Neno,thanks for taking the

Hi Neno,

thanks for taking the time to answer. (Un) fortunately a PKI/certificates is not an option at the moment.

I like your second suggestion but the idea Mohana refered via the link
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Use_Cases.pdf to seems to be even easier.

Starting from page 18-4 the example shows a very simple way to achieve my goal with minimum configuration effort. One of  the major drawbacks I can see in this example is that an emplyee could us this AuthZ for access with a corporate device too.  

 

Thanks,

 

Frank

100
Views
0
Helpful
3
Replies
CreatePlease login to create content