Solved: Re: Restricting dot1x capable devices from using self registration portal.

nathsack · ‎12-17-2018

Recently, we started receiving alerts that we've exceeded our Plus license count. It is my understanding that devices registered via the self-service web portal will consume one Plus license when it goes on line.

I'm looking for a way to enforce a policy that if a device is capable of doing 802.1x authentication it will not use the self-service portal to register that device. Also, is it possible to identify dot1x capable devices and purging from the database?

Any other thoughts on limiting the use of the Plus license?

Timothy Abbott · ‎12-17-2018

The challenge here is that the portal itself will not attempt to identify the type of device the user is trying to register. The mac address could potentially be a device in which ISE has never seen before. As a result, we will not be able to determine a device's 802.1X capabilities based on the mac address alone.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎12-17-2018

Could you clarify your meaning of self registration portal? Self Registration could mean a Guest use case in which a plus license is not consumed since guest is a part of the base license. However, BYOD is a plus feature in which devices are also "register" with the system. I suspect the latter is the case but wanted to verify. You can identify dot1x devices and purge them but is will take a lot of manual work as this is not something ISE can automate other than purging endpoint identity groups.

Regards,

-Tim

nathsack · ‎12-17-2018

This is for BYOD. It is for a "my devices" portal at a university.

Timothy Abbott · ‎12-17-2018

The challenge here is that the portal itself will not attempt to identify the type of device the user is trying to register. The mac address could potentially be a device in which ISE has never seen before. As a result, we will not be able to determine a device's 802.1X capabilities based on the mac address alone.

Regards,

-Tim