Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE Lock accounts to machines

I am trying to determine if there is a way to limit the number of logins. Basically, the requirement is to allow a user X number of concurrent logins, but restrict those logins to the first X machines they log into.  The requirement is to prevent users from passing their credentials around to other unauthorized users.

Everyone's tags (2)
7 REPLIES

ISE Lock accounts to machines

Michael,

You can only restrict guests to one concurrent login of 1 or unlimited. However if you have a list of all mac addresses, you can import them into ise and statically assign them to a endpoint group, from there you can combine a policy that only allows users to connect with a device that you assigned to an endpoint group with a valid AD account.

However your best bet is to deploy certificates if you run in an AD environment where all devices are joined to the domain, it is very simple to use group policies to deploy certificates which you can make the private keys not exportable. Then you can switch your authentication policy so that certs are used instead of passwords.

Let me know if you run all users in AD or if you would like some info on certificate enrollment

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE Lock accounts to machines

Hi Tarik,

Thanks for the suggestions.  However, at this time, the deployment is going to be a live pilot (I know, dangerous move lol), but its what is going to convince the customer of ISE's features.

Cert services isn't an option at this time, due to time constraints and the environment this is being rolled out to.

it's basically a trade show and they are allowing all invitees to use their network, but cant deploy certs, or expect the invitees to be able to install them. Apparently, these guests have been known to pass around credentials and this is what they are trying to prevent.

I have locked them down to 3 concurrent connections, but i am not sure if that will do the trick.

Thoughts?

thanks again for you reply

Cisco Employee

ISE Lock accounts to machines

Yeah you have to deploy certificate to authenticate devices and user  with non-exportable private key. That is the only way by which you can  achieve your goal.

Bronze

ISE Lock accounts to machines

ISE-1.1 version does not support the limits on concurrent logins but ISE 1.2 support this function.

Release Notes for Cisco Identity Services Engine, Release 1.2

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html

ISE Lock accounts to machines

Aqeel,

It was my understanding the ISE 1.2 only allows this feature for guests

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE Lock accounts to machines

Please find the attached solution.

ISE Lock accounts to machines

Guys,

The initial question is around dot1x authentication. Please take some time to understand the question above. This has nothing to do with Administrative access nor does it involve guests.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
487
Views
0
Helpful
7
Replies
CreatePlease to create content