Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE for Mobiles

Hello every body...

I have ISE appliance integrated with Active Directory to authenticate the users , and i have WLC integrated with the ISE also.

the integration done successfully , and now any user want to access the network through the WIFI ( Dot1x) he should use his AD credintials and if he Compliant he get a full access , if non compliant he go to the quarantine vlan.

my problem is the mobiles , there's some users need to access the WIFI using the personal mobiles using the AD credintials , and i need to bypass the posturing for mobiles only.

in other words , i don't need to check if the devise is compliant or non compliant for the mobiles only , while i need this feature for laptops.

note : i have only 1 SSID

any suggestions for this case....

Reyad

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ISE for Mobiles

Hi Reyed, the Endpoint policy was added in ISE 1.1 MR1 I believe, you will need to upgrade to see this.  I would strongly recommended upgrading to the latest release of ISE anyway as it is much improved on version 1.1.0.

Thanks

Andy

9 REPLIES
New Member

ISE for Mobiles

Hi Reyad,

The solution for the Mobile devices is to enable the profiling, by enabling the profiling, you can categorize the access for all the smart devices, and you can combine them with Wireless_dot1x so all the users can authenticate the access using the AD username and password.

In general, the ISE does not have NAC agents or posture for mobile devices, so you can build an authorization policy based on profiling and authentication, and you can put it on top of the policies so if the ISE detects mobile phone access then the authentication will be dot1x against the AD.

HTH.

Thanks.

Ahmad.

New Member

ISE for Mobiles

hello Ahmad

in my case , i noticed that i have only 2 profiled categories.

one for workstations , and the other for ip phones ,,, but unfortunately the Smart phones and mobiles have been recognized as workstations which is become useless when i configure the policey for the profiled devise.

what i need is to configure a policey for any not-windows devise

how can i configure the profiling feature for these devises

any suggestions ....

Reyad

New Member

ISE for Mobiles

Hi Reyad, you need to create an Authorisation Policy that matches "PostureApplicable Equals No" above the Authorisaton Policies you have defined for PostureStatus Equals Compliant and PostureStatus Not_Equals Compliant.

Any devices that are not capable of posture assessment (e.g. your mobile devices) will match this rule and bypass the NAC process before hitting the rule you are currently matching.

This should work fine as long as all other Authorisation Policies are correct.

New Member

ISE for Mobiles

hi andy

this will help to solve my problem

but i couldn't find the condition "PostureApplicable" in the autherization policys rules , could you help me where can i find this....

Reyad

New Member

ISE for Mobiles

You can find it under Endpoints as shown below.

noncompliant.png

New Member

ISE for Mobiles

hello Andy and sorry for bothering you again...

but i couldn't find the EndPoint within my drop list in the autherization policey page.

do you think its related to ISE IOS version , or i need to do some configuration in some where to have EndPoint.

My ISE version is : Version      : 1.1.0.665

drop-list.jpg

New Member

ISE for Mobiles

Hi Reyed, the Endpoint policy was added in ISE 1.1 MR1 I believe, you will need to upgrade to see this.  I would strongly recommended upgrading to the latest release of ISE anyway as it is much improved on version 1.1.0.

Thanks

Andy

New Member

ISE for Mobiles

thank you Andy for your help....

Reyad

ISE for Mobiles

Inorder to have definetions for broader range of endpoints like smartphones , PDAs, please use profiler feed service. It would ensure the device profiles database is updated.

359
Views
0
Helpful
9
Replies