02-29-2012 05:30 PM - edited 03-10-2019 06:51 PM
I have been playing with ISE for a few weeks now. I want to get the thoughts of other more experienced ISE users.
I have concluded, it is best to use EAP-TLS with CERTS to differentiate between corporate owned iPads and BYOD iPads. Although ISE does a great job finger printing. A user can log onto his BYOD iPad and enter his AD account and get on the production network. A cert would certainly fix this problem.
But, is there any other fail proof way without a certificate ? What are other folks doing to manage which iPad is which ?
Ive also concluded, I am not able to posture an iPad. I was thinking, since we use Zenprise as our MDM platform I could then use a service posture to see if it was running and if so, then determine by which, it was a corporate owned iPad. However, under the posture services, I only see windows OSs and no Apple love at all.
Any feedback is appreciated ..
p.s. I rate helpful post! LOL
Thank you!
03-27-2012 05:36 PM
Aman,
Here is more information on the host scan that runs on AC3 -
As far as deploying ASA in an ise environment you can still acheive the same dacl configuration that you were running before. If you want to enable posture remediation on your vpn clients or profiling the you will have to deploy an ipep node which acts as another firewall for all the vpn users before their traffic enters the network. From there the traffic policies are governed by the admin node.
thanks,
05-08-2012 07:00 PM
You could also do two static profile groups by the Mac address. I don't think it would be easier than two SSIDs but it is a way to do it with ISE.
Thanks,
Alex
Sent from Cisco Technical Support iPhone App
11-07-2012 07:58 PM
Hi George,
I've just been through the same issue, when the WebAuth page appears, it is closed when the certificate install comes up and the WLAN is disconnected.
What you need to do is enable captive bypass on the WLC
from CLI or SSH type the following command
Config network web-auth captive-bypass enable
And reboot
Now you can connect to the provisioning SSID and when you open up the Web browser you will be redirected OK
Good luck
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide