Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

ISE profiling end-users that use VPN

I had a quick question about identifying end users. Our users use VPN to connect and we use ICE for AAA with AD.

Problem is that

They would use Laptop to connect with their AD credentials and the same time use their IPad with the same AD credentials.

But we need to specify 2 different policy's one for Laptop and one for IPad.

How do you specify the difference between the two devices?

Will the ISE learn the MAC even when using the VPN?

Is there anyway to probe the device to get more info so we may put different policy based on device?

Thanks in advance for your help.

Everyone's tags (4)
New Member

ISE profiling end-users that use VPN

•Step 1       Open a new tab on the web browser and access the ISE administration web interface at  using the credentials admin / default1A.

  • •Step 2       Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
  • •a.     Navigate to Administration > Network Resources > Network Devices
  • •b.     Under Network Devices in the right-hand panel, select wlc2.
  • •c.     This network device is preconfigured with the values shown in the following table:
  • •d.     Update as needed and click Save when finished.
    • •Step 3       Demonstrate configuration for the SCEP CA Profiles.
    • •a.    Navigate to Administration > System > Certificates.
    • •b.    Go to SCEP CA Profiles. Verify profile as below

OPTIONAL: Click Test Connectivity to verify the connection to the SCEP server

  • •a.    Once Test Connectivity succeeds, click Submit to save the profile.
  • •b.    Under Administration > System > Certificates, go to Certificate Store, both the CA and RA (registration authority) certificates of the certificate chain for the SCEP server should have been automatically retrieved.
  • •c.     Go to Administration > Identity Management > External Identity Sources > Certificate Authentication Profile to create one with the following information:

Click Submit to save the changes.

  • •Step 4       Next go to Administration > Identity Management > Identity Source Sequences.
    • •a.     Create a new Identity Source Sequence.
  • •Step 5       At Policy > Policy Elements > Results > Authentication > Allowed Protocols, create a new entry with the name PEAP_o_TLS and allow only two protocols:
    • •a.     EAP-TLS
    • •b.     PEAP with inner method EAP-MS-CHAPv2
  • •Step 6       Policy > Authentication
    • •a.     Demonstrate the rule Dot1X.

Below shows the resulting authentication policy. The modified objects are highlighted in Yellow.

  • •Step 7       Demonstrate Authorization Policy rules under Policy > Authorization as shown below
  • •Step 8       Go to Policy > Client Provisioning and demonstrate rule which will look like the following:
  • •Step 9       You may add a new Native Supplicant Profile in-line within the Results cell. Create the native supplicant profile iOS_WPA2_TLS in-line as shown below:
  • •Step 10     Click Save to save the changes.
CreatePlease to create content