Cisco ISE filtering devices

Working on a project, need to restricted access to a network. end users that our domain joined, as well as mobile users, can access the network.  i.e "users that have the Cisco any connect app" using AD credentials.

What would be best practice for restricting access for the mobile users?

These are some methods I have come across.

MDM Server - This would not work in this case, due to the fact that most of the devices are not owned by the company.
CA Certs
GPO
Profiling in ISE - Not sure if this works how I am thinking it would.

Any input in the would be greatly appreciated.
LVL 1
Jordan TaylorNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
ISE is an expensive prospect? If its restricting access for mobile users only then Simply securing AnyConnect with Certs is the way to go, this means you need to ,manually issue certs to non company owned devices though?

With ISE you can create an enrolment portal for certificates, for non domain joined devices.

Pete
1
Jordan TaylorNetwork EngineerAuthor Commented:
Thanks, Pete,

Okay, currently users are accessing the network through Cisco Anyconnect. I would like to restrict that in some way or form.

So since Cisco ISE is already in place this would probably be the best case solution at this point. I found the following documentation for Cert templates within Cisco ISE. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

Is this what you were referring to? And from there I can push out certs for PC and Mobile devices as well.
0
Pete LongTechnical ConsultantCommented:
Yes - you onboard and personally owned machines, domain joined machines you can issue certs by auto-enrolment, and you can set AnyConnect to use certs or passwords (or both) to then authenticate.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jordan TaylorNetwork EngineerAuthor Commented:
Thanks for your assistance!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.