asked on

Cisco ISE filtering devices

Working on a project, need to restricted access to a network. end users that our domain joined, as well as mobile users, can access the network. i.e "users that have the Cisco any connect app" using AD credentials.

What would be best practice for restricting access for the mobile users?

These are some methods I have come across.

MDM Server - This would not work in this case, due to the fact that most of the devices are not owned by the company.
CA Certs
GPO
Profiling in ISE - Not sure if this works how I am thinking it would.

Any input in the would be greatly appreciated.

Pete Long

ISE is an expensive prospect? If its restricting access for mobile users only then Simply securing AnyConnect with Certs is the way to go, this means you need to ,manually issue certs to non company owned devices though?

With ISE you can create an enrolment portal for certificates, for non domain joined devices.

Pete

Jordan Taylor

ASKER

Thanks, Pete,

Okay, currently users are accessing the network through Cisco Anyconnect. I would like to restrict that in some way or form.

So since Cisco ISE is already in place this would probably be the best case solution at this point. I found the following documentation for Cert templates within Cisco ISE. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

Is this what you were referring to? And from there I can push out certs for PC and Mobile devices as well.

ASKER CERTIFIED SOLUTION

Pete Long

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Jordan Taylor

ASKER

Thanks for your assistance!