Cisco ISE filtering devices

Working on a project, need to restricted access to a network. end users that our domain joined, as well as mobile users, can access the network.  i.e "users that have the Cisco any connect app" using AD credentials.

What would be best practice for restricting access for the mobile users?

These are some methods I have come across.

MDM Server - This would not work in this case, due to the fact that most of the devices are not owned by the company.
CA Certs
Profiling in ISE - Not sure if this works how I am thinking it would.

Any input in the would be greatly appreciated.
Jordan TaylorNetwork EngineerAsked:
Who is Participating?
Pete LongTechnical ConsultantCommented:
Yes - you onboard and personally owned machines, domain joined machines you can issue certs by auto-enrolment, and you can set AnyConnect to use certs or passwords (or both) to then authenticate.
Pete LongTechnical ConsultantCommented:
ISE is an expensive prospect? If its restricting access for mobile users only then Simply securing AnyConnect with Certs is the way to go, this means you need to ,manually issue certs to non company owned devices though?

With ISE you can create an enrolment portal for certificates, for non domain joined devices.

Jordan TaylorNetwork EngineerAuthor Commented:
Thanks, Pete,

Okay, currently users are accessing the network through Cisco Anyconnect. I would like to restrict that in some way or form.

So since Cisco ISE is already in place this would probably be the best case solution at this point. I found the following documentation for Cert templates within Cisco ISE.

Is this what you were referring to? And from there I can push out certs for PC and Mobile devices as well.
Jordan TaylorNetwork EngineerAuthor Commented:
Thanks for your assistance!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.