#CISCO ISE 2.4 CONFIGURE MDM HOW TO#
This section discusses those features and how to configure them. Most of the advanced ISE features discussed in this chapter use some common foundational features on network devices such as switches and Wireless LAN Controllers (WLCs). This chapter will also discuss micro-segmentation with Cisco TrustSec and how to configure ISE and the network for it. This chapter will also discuss how to configure the posture features of ISE.įinally, though access control is a must-have for network security, its real advantage can only be derived by applying granular permissions and micro-segmentation. The posture validation features of ISE are used to verify and remediate the posture of a device before granting it access.
Allowing such a device on the network increases the risk to other devices in the network. For example, if a laptop does not have the correct and updated anti-malware application running, then it is more likely to have been infected. If the posture does not comply with the organization‘s security policies, the device should not be allowed on the network. The posture of a device refers to the security applications running on the device and their state. In addition to confirming the identity of the user and device, the posture of the device should also be considered before granting access. While network access control has traditionally meant authenticating the user and/or device before granting access, it does not need to stop there. This chapter will discuss both of these features in detail. The Bring Your Own Device (BYOD) provisioning and Guest access features of ISE are used to provide access in such cases. This introduces the need to implement different kinds of access control mechanisms for these devices. Because these devices are not owned by the organization, it has no control over them nor does it have the ability to configure these devices for authentication. Sometimes, organizations even allow employees to bring their own devices for work purposes. With the increase in mobile device usage, employees, partners, vendors, and guests expect access to the Internet, at least. Unfortunately for network administrators, modern networks are no longer limited to these kinds of devices only.
On the other side, common unmanaged devices such as printers and IP Phones can be granted access with MAB based on profiling results. For a large enterprise, configuring thousands of devices using Active Directory Group Policy Objects (GPOs) is very easy. On one side, classic enterprise-owned devices such as laptops and desktops support and can be easily configured for 802.1X. As you probably realized, choice of authentication method depends on the endpoints being authenticated.
#CISCO ISE 2.4 CONFIGURE MDM MAC#
In Chapter 2, “ Basic Network Access Control,” we discussed 802.1X and MAC Authentication Bypass (MAB) and how to configure ISE and the network devices for it. Virtualization and Automation SolutionsĬhapter 4.Cisco Virtual Solutions and Server Virtualization.Cisco An圜onnect Secure Mobility Client.Layer 2 Encryption: IEEE 802.1AE/MACsec.Hashing, Ciphers, Cryptography, and PKI.The Many Integration Types of the Ecosystem.Using TACACS+ for Device Administration.RADIUS Versus TACACS+ for Device Administration.Posture Assessment and Remediation with ISE.MDM Onboarding and Enforcement with ISE.Configuring Wireless Network Access with ISE.