cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1730
Views
1
Helpful
1
Replies

Keeping company-owned devices from joining guest SSID

chastewa
Cisco Employee
Cisco Employee

Is it possible to keep company-owned devices from joining the guest SSID?  Most of the company-owned devices are in AD.  If this is possible, is there a doc/whitepaper on how to set this up?

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

ISE can authenticate a domain computer against AD however if the user chooses to join the Guest SSID then there is no 802.1X authentication for ISE to gather the machine credentials and check against AD.

To do what you want there are two options:

1) Create and maintain an Assets endpoint group - containing both wired & wireless NICs - under Administration > Identity Management > Groups > Endpoint Identity Groups. Upon association to the Guest SSID, the WLC will start a RADIUS session and your Guest access policy will compare the endpoint's MAC against this Asset MAC List. If it exists in the Asset MAC list, either send an Access-Reject or Access-Accept with a redirect to a web page that tells them this is not allowed.

2) Require all users/endpoints connecting to the Corporate SSID to perform device registration the first time they connect. They will be put into the Administration > Identity Management > Groups > Endpoint Identity Groups: RegisteredDevices group. You may then use the MAC address from the ISE Registered Devices list to compare with all endpoints associated to the Guest SSID. If the MAC exists in the Registered Devices list, either send an Access-Reject or Access-Accept with a redirect to a web page that tells them this is not allowed.

Please see our ISE Design & Integration and Guides for all of our How To guides. Specifically you will be interested in How To: ISE & BYOD: Onboarding, Registering & Provisioning.

View solution in original post

1 Reply 1

thomas
Cisco Employee
Cisco Employee

ISE can authenticate a domain computer against AD however if the user chooses to join the Guest SSID then there is no 802.1X authentication for ISE to gather the machine credentials and check against AD.

To do what you want there are two options:

1) Create and maintain an Assets endpoint group - containing both wired & wireless NICs - under Administration > Identity Management > Groups > Endpoint Identity Groups. Upon association to the Guest SSID, the WLC will start a RADIUS session and your Guest access policy will compare the endpoint's MAC against this Asset MAC List. If it exists in the Asset MAC list, either send an Access-Reject or Access-Accept with a redirect to a web page that tells them this is not allowed.

2) Require all users/endpoints connecting to the Corporate SSID to perform device registration the first time they connect. They will be put into the Administration > Identity Management > Groups > Endpoint Identity Groups: RegisteredDevices group. You may then use the MAC address from the ISE Registered Devices list to compare with all endpoints associated to the Guest SSID. If the MAC exists in the Registered Devices list, either send an Access-Reject or Access-Accept with a redirect to a web page that tells them this is not allowed.

Please see our ISE Design & Integration and Guides for all of our How To guides. Specifically you will be interested in How To: ISE & BYOD: Onboarding, Registering & Provisioning.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: