I'm trying to build a BYOD policy in ISE 1.2. I would like ISE to get machine attributes as part of the authorization policy. Can this be done? I'm not talking about machine authentication. I need something that could be checked at anytime.
Thanks for any help!
Not sure what you mean by machine attributes, are you talking about hardware settings on some device , or attributes on a machine account in windows active directory ?
Well, if you are using your regular internal CA to issue certs for corp. assets, and another CA for BYOD via ISE provisioning for example, you can use elements from your devices cert in authorization rules.
Something like :
Corp cert issuer=internalca.corp.local
Byod cert issuer=byod.whatever.local
I have seen in ISE 1.2 configuration guide that we can do the Machine authentication using AD, and once the Machine authenticate and authorised, profiling may happen and we can see the attributes: Please check the below link:
Cisco ISE retrieves user or machine attributes from Active Directory for use in authorization policy rules. These attributes are mapped to Cisco ISE policies and determine the authorization level for a user or machine. Cisco ISE retrieves user and machine Active Directory attributes after successful authentication and can also retrieve attributes for an authorization that is independent of authentication.
Cisco ISE performs user and group membership lookups via LDAP to an Active Directory. Group membership is used to map sponsor users to the corresponding sponsor group in ISE. And if the user is not directly in an Active Directory group, but is a member of a group that is a member of the Active Directory group (nested groups), the user authorization is rejected.
User authentication on an authorization policy fails if the rule contains an Active Directory group name with special characters such as /!@\#$%^&*()_+~
you can also follow the below link_
Please check the below link.
Step 1Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2Click the Attributes tab.
Step 3Choose Add > Add Attribute to add a new attribute or choose Add > Select Attributes From Directory to choose a list of attributes from the directory.
NoteWhen you enter an example user name, ensure that you choose a user from the Active Directory domain to which the Cisco ISE is connected.When you choose an example machine to obtain machine attributes, be sure to prefix the machine name with “host/.” For example, you might use host/myhost.
Step 4Enter a name for a new attribute if you choose to add an attribute.
Step 5Check the check boxes next to the attributes from Active Directory that you want to select, and click OK.
Step 6Click Save Configuration.If you choose to add attributes from directory, enter the name of a user in the Example User field, and click Retrieve Attributes to obtain a list of attributes for users. For example, enter admin to obtain a list of administrator attributes. You can also enter the asterisk (*) wildcard character to filter the results.