Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8816
Views
10
Helpful
17
Replies

ISE and iPads

George Stefanick
VIP Alumni
VIP Alumni

‎02-29-2012 05:30 PM - edited ‎03-10-2019 06:51 PM

I have been playing with ISE for a few weeks now. I want to get the thoughts of other more experienced ISE users.

I have concluded, it is best to use EAP-TLS with CERTS to differentiate between corporate owned iPads and BYOD iPads. Although ISE does a great job finger printing. A user can log onto his BYOD iPad and enter his AD account and get on the production network. A cert would certainly fix this problem.

But, is there any other fail proof way without a certificate ? What are other folks doing to manage which iPad is which ?

Ive also concluded, I am not able to posture an iPad. I was thinking, since we use Zenprise as our MDM platform I could then use a service posture to see if it was running and if so, then determine by which, it was a corporate owned iPad. However, under the posture services, I only see windows OSs and no Apple love at all.

Any feedback is appreciated ..

p.s. I rate helpful post! LOL

Thank you!

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Labels:
0 Helpful
17 Replies 17

Tarik Admani
VIP Alumni
VIP Alumni
In response to aman.diwakar

‎03-27-2012 05:36 PM

Aman,

Here is more information on the host scan that runs on AC3 -

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1177378

As far as deploying ASA in an ise environment  you can still acheive the same dacl configuration that you were running before. If you want to enable posture remediation on your vpn clients or profiling the you will have to deploy an ipep node which acts as another firewall for all the vpn users before their traffic enters the network. From there the traffic policies are governed by the admin node.

thanks,

0 Helpful

Alex Pfeil
Level 7
Level 7

‎05-08-2012 07:00 PM

You could also do two static profile groups by the Mac address. I don't think it would be easier than two SSIDs but it is a way to do it with ISE.

Thanks,

Alex

Sent from Cisco Technical Support iPhone App

0 Helpful

johncaston_2
Level 1
Level 1

‎11-07-2012 07:58 PM

Hi George,

I've just been through the same issue, when the WebAuth page appears, it is closed when the certificate install comes up and the WLAN is disconnected.

What you need to do is enable captive bypass on the WLC

from CLI or SSH type the following command

Config network web-auth captive-bypass enable
And reboot

Now you can connect to the provisioning SSID and when you open up the Web browser you will be redirected OK

Good luck

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents