ISE and iPads
I have been playing with ISE for a few weeks now. I want to get the thoughts of other more experienced ISE users.
I have concluded, it is best to use EAP-TLS with CERTS to differentiate between corporate owned iPads and BYOD iPads. Although ISE does a great job finger printing. A user can log onto his BYOD iPad and enter his AD account and get on the production network. A cert would certainly fix this problem.
But, is there any other fail proof way without a certificate ? What are other folks doing to manage which iPad is which ?
Ive also concluded, I am not able to posture an iPad. I was thinking, since we use Zenprise as our MDM platform I could then use a service posture to see if it was running and if so, then determine by which, it was a corporate owned iPad. However, under the posture services, I only see windows OSs and no Apple love at all.
Any feedback is appreciated ..
p.s. I rate helpful post! LOL
Thank you!
George
Unfortunately there is nothing within an iPad or iPhone which we can leverage as a unique identifier between a corporate SOE iPad and a BYO iPad.
E.g with a workstation deployment we could setup posture assessment to lookup a particular reg key in a windows box,....so this doesn't help us with apple iOS.
With idevices we can only match on the particular information we obtain though profiling and/or authentication, so we have to make authentication the differentiator.
Though all of my deployments, the only way I have found so far, is for the client to have a MDM solution installed and also have an internal CA installed.
Client deploys company issued iPads with internal certificates thought their MDM solution.
I usually deploy 2x separate SSIDs, one for corporate users, one for BYO.
I anchor the BYO SSID to another WLC that is out on the DMZ and the client then limit internal connectivity though the firewall.
The corporate SSID performs cert auth and the BYO SSID performs peap auth, if their BYO users are setup in AD or leap.
My ISE authorization rules are setup to match the different WLAN SSID identifier numbers and the authorization sources of ad or ldap.
Cisco will be releasing new ways to profile devices, maybe we will be able to leverage something unique in the future.
Dale
Sent from Cisco Technical Support iPad App
Similar Messages
-
Need some help on this one.
This is ISE 1.1.1 and WLC 7.2
I want to use CWA and Webauth for guest users, and I have configured that on the ISE and WLC.
This is working but I need some clarification :-)
First I tried to use AuthC policy with
allowed protocolls= PAP-ASCII + Host lookup
Result of that was that for Mac OS X an MS PC it's no problem, I get redirected, logon, press yes on the AUP and I can go on surfing the web.
But on the iOS devices I get redirected to the guest logon page, put in my credentials and insted of the AUP page I get a network error, could not connect.
If I change AuthC to
allowed protocolls= Default Network Access
All is working fine for all endpoints.
Im looking at the RADIUS Authentication Details but I dont understand what iPhone/iPad do diffrent?
An other question here, can I get a redirect after successfull logon instead of 'Please retry your orginal URL request'?
Thanks!I did solv this (sort of) using html redirect on a custom portal, going to the customers web page.
http://www.cisco.com/">
It would be nice to have a redirect to the page the user wanted to view prior to login but this is good enough -
ISE and NAC wireless guest networks
I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
Sent from Cisco Technical Support iPad AppHello,
For your query regarding ISE and NAC following are my findings, which might help you in order to solve your query.
for your first question:-
ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
ISE is a 50% software discount for customers who have NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
for your second question:-
There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs. -
Hi,
Im working on my CWA WebAuth for guest access and I have tested a windows PC, a OS X, iPhone and iPad.
But I get this redirect problem after the endpoint has authenticated once and it get profiled, MAC address added to the Endpoint list
When I try connect, after a client reboot and disconect client in the WLC, I get redirected to the guest portal page, I put in my credentials and get access granted.
After that the device get profiled and show up under Endpoints I now get a network error when I try to make a new connection, disconecting clients in WLC and a client reboot. If I wait to long with my credentials the MAC address gets in to the Endpoint list and it stops woking..
If I remove MAC addresses from the Endpoint list it work again, without reboot/WLC disconect client.
My policy is rather simple
Authentication Policy:
-Wireless-MAB allowed protocols Default and use internal users - If user not found Continue
Authorization Policy:
-If Guest and Wireless MAB then Gurst_acl (allow all acl, any-any)
-Default if no match then Wireless-CWA (redirect and acl for dns and ise portal)
Why is it behaving like this, I need profiling later on so it wold be nice to have it going.
ThanksThere is no issues with the policies, It looks fine. Please review the below link which might be helpful:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml -
Jabber for iPhone and iPad cannot receive calls
We currently have Call Manager 9.1.1 and Presence 9.1.1.
I am starting to use the Jabber Client for iPhone and iPad, but am having trouble receiving calls dialed to a particular extension.
If I can go settings for the iPhone Jabber client as an example, I am succesffuly connected to all accounts: IM, Phone Services, Voicemail, and WebEx.
When I go to the keypad, I can succesffuly dial internal extensions and make outbound calls to any numbers and they come accross as using my extension.
When calling the extension, my desk phone rings, but not the Jabber client.
Not sure what could be causing this issue to occur for Jabber not receiving the calls.
Thanks for any suggestions.
Paul GaydosShould still work. But would be good to check indial into jabber with the phone unplugged, just for testing purposes.
also, you have checked the partition and configuration on the TAB device is the same as on the deskphone?
Can you attach call manager traces when making a test call and attach to the case. Let us know the extension and device names you have used in the test, and a timestamp of the test.
thanks
=============================
Please remember to rate useful posts, by clicking on the stars below.
============================= -
How do we split our iCloud accounts but keep one iTunes account so we can share purchased content for our multiple iPhones and iPads?
You can migrate a copy of the data to a new account, then delete the other person's data from each account. To do this, on the phone that will be changing accounts, if you have any photos in photo stream that you want to keep on the phone, save these to your camera roll by opening the photo stream album in the thumbnail view, tapping Edit, then tap all the photos you want to save, tap Share and tap Save to Camera Roll. If you have any synced notes that you want to keep on the phone, email these to yourself so you can create new notes in the new account.
Once this is done, go to Settings>iCloud, scroll to the bottom and tap Delete Account. (This will only delete the account from this phone, not from iCloud. The phone that will be keeping the account will not be effected by this.) When prompted about what to do with the iCloud data, be sure to select Keep On My iPhone. Next, set up a new iCloud account using a different Apple ID (if you don't have one, tap Get a Free Apple ID at the bottom). Then turn iCloud data syncing for contacts, etc. back to On, and when prompted about merging with iCloud, choose Merge. This will upload the data to the new account. You will create a new icloud email address with you turn Mail to On.
Finally, to un-merge the data you will then have to go to icloud.com on your computer and sign into each iCloud account separately and manually delete the data you don't want (such as deleting your wife's data from your account, and vice versa). -
I have an iTunes account for my personal iPod Touch - have had for several years. When my work provided me with an iPhone and now and iPad 2, they all fall under my personal iTunes account. Is it possible for me to create a separate account for my work devices and apps, while leaving my personal account intact? I use both my compter at home and at work to sync occasionally.
A much simpler solution would be to go into Settings > Store and turn off Automatic Downloads
-
I have one apple ID for both my Iphone 4S and Ipad. My Ipad was stolen from me and when I checked the iCloud, it can only locate the Iphone 4S. How can I locate the Ipad device?
Welcome to the Apple Community.
You can only locate your device when it is logged into iCloud and 'Find My Phone' is enabled, additionally the device will need to be switched on and connected to a wifi or cellular network.
Unfortunately, you cannot activate iCloud or 'Find My Phone' remotely. -
I have one Apple ID for my MAC and iTunes account and another that is used for both my iTunes and iPad. When I purchased music from iTunes using the Mac ID, the music isn't available on my iTunes or iPad. Neither lets me change my ID so how do I fix this issue so I can play the music on all three?
Hello chlanli
You would need to use one Apple ID for purchases in order to get them across all of your devices and computer. If you want you can use one Apple ID for purchases and the other one to sync personal data. The article below will explain further.
Using your Apple ID for Apple services
http://support.apple.com/kb/ht4895
Regards,
-Norm G. -
My family currently shares one Apple ID on multiple devices and has for quite awhile. How do I switch everyone over to their own Apple ID and the Family Sharing without having to erase their iphones and ipads?
Thank you again for your time, GB.
I set up individual Apple ID's for my children so that they could have their own Apple ID on their individual iPad minis (gifts from grandparents last year). When I go to iCloud under Settings, I see my Apple ID listed at the top, then my children's listed under Family Sharing. So the device is still using my Apple ID for iCloud, iTunes, etc., correct?
To "assign" their own Apple ID to their own iPad mini, I would need to "Sign Out" from my Apple ID. When I attempt to do so, I receive a warning that all of the Documents and Data will be lost/deleted.
So, instead of doing this, I figured out that I could do what you suggested. Signing in using a child's Apple ID will allow her/him to use Game Center, FaceTime, and Messages just fine. However, using their Apple ID for iTunes & App Store proved to be a problem: Purchased Music and Movies appeared in iTunes, but my Purchased Apps did not appear. Some Apps even disappeared, e.g. Proloquo4Text (a $99 app to help my son speak with his iPad).
So I reverted to using my Apple ID for iTunes & App Store, and I get everything that I want, EXCEPT for the iCloud storage for each Apple ID.
So that's when I started wondering how Family Sharing was really benefiting me ~ It was a lot of work (deleting apps to allow space to download iOS 8, etc) without any benefit that I can see. UNLESS I find a means to allow me to sign in each iPad's iCloud account with a different AppleID, then perhaps restore the Documents and Data from a backup? Would that work?
Thanks. -
Ok Apple users...Is there a way to delete e-mails on my Mac and not have to delete the same e-mails on my iPhone, and iPad...and vise-versa. I have the Cloud, and thought that everything would sync all of the time. If you know of a setting I need to adjust, please let me know.
Are you referring to @mac.com, @me.com or @icloud.com emails? Or some other email providers emails?
If the former, it should do that automatically. If the latter, no. iCloud does not (nor is it supposed to) sync non-Apple provided emails. -
IPhone and iPad can no longer connect to iTunes Libary via Remote
Up until a couple of hours ago, I had no problems controlling iTunes on my MacBook Pro via my iPhone or iPad. Now, on both devices, I get an error saying it can't connect to my Library.
All devices are connected to the same network. I get the error whether my firewall is on or off. I have tried re-adding the Library. When I do so the relevant device shows up in iTunes and the pairing process SEEMS to work. It tells me that my iPhone can now control my library, but it still can't connect.
I've tried rebooting the router.
All devices show the same ip address for the router and all are on the same subnet.
I've just upgraded iTunes to 10.2.1 and everything on the iPhone and iPad has the latest upgrades.
Also when I go to the iPod app on my iPhone and go to More -> Shared -> and then my library, I get an error saying "Cannot Connect to Media Libary"
I've seen this advice, "You must also have the iTunes preference "Look for iPod touch, iPhone and iPad Remotes" enabled. " I cannot find this preference anywhere. It's not something I've ever looked for before so possibly the name of it has changed in a recent iTunes release. Can anyone tell me if I'm looking for the right thing and where I might find it?
Any other ideas?
Anyone else with a similar problem that has cropped up recently?Hi Everyone, I found a solution to this problem with no "Look for iPod..." option.
Check "Allow iTunes Audio Control from Speakers"
Then, RESTART iTunes.
Heres a picture of what to check off:
http://www.ilounge.com/assets/images/articles_jdh/itunes-102-2f.png
Should Work. -
Itunes no longer connects to 5S, ipad Mini retina and ipad 2 after ios 8.02 update
Since the ios 8 and now 8.02 updates my Itunes does not connect at all to my iphone 5s, ipad mini (retina) and ipad 2.
iTunes' built in diagnostic sync test says no devices found.
I plug in the USB and nothing happens.
USB ports are working fine. All my other USB plug ins still work fine.
Same computer, same Windows 7 - 64 bit - all updated.
I did a clean iTunes delete per Apple instructions and then re installed iTunes again per Apple instructions and still nothing.
I got first a missing DLL error message and then not even a beep when plugging in the cord (yes all Apple accessories).
Anyone else run into this issue?
Sheesh I hate updates!
Thanks!For device connectivity issues see TS1538: iOS: Device not recognized in iTunes for Windows, in particular section 5, and TS4062: iTunes 10.5 and later: Troubleshooting iTunes Wi-Fi syncing.
tt2 -
I have a macbook 4.1 with osx10.6.8 and just added memory (2gig) so I could sync my new IPhone and Ipad. Now I'm told at the apple store that I need to upgrade my operationg system. They said they couldn't help and gave me conflicting advice about what to do. Any ideas? Thanks you!
There are three models of MacBook that comprise the 'macbook 4.1' category, and each of them a little different; however other than 'macbook 4.1' the other thing they have in common is they all are considered Early 2008. Two are white, one black, polycarbonate case, Core2Duo 2.1GHz, 2.4GHz white, 2.4GHz black.
So if you can determine which one, if any of these, is the model build year and spec you have, that would be handy. Did you tell whoever you spoke to the serial number of your computer, so they'd know by looking up the specs to see what the supported maximum RAM upgrade capacity was, and other minimum requirements to make any upgrade to Mac OS X 10.6.8 at all?
If you have the serial number you can do a lookup to 'indentify by serial number' online, and use that information to determine if the computer needs even more RAM to take it past the minimum for Snow Leopard 10.6.8 and then get it ready to upgrade (via paid download from App Store, Snow Leopard gets you that far) and see what the next supported OS X full upgrade would be for the hardware limitations on that old MacBook.
If your MacBook IS a 4.1 build, the highest OS X it could run if it has the 2.4GHz cpu, is Lion 10.7.5. That would be an upgrade from the App store, available to OS X 10.6.8+ computers that access it online. And I kind of doubt how supported a newest iphone etc may be in lion.
everymac.com has a fair amount of information across many years of Apple computing hardware...
Here's the three MacBooks that share the 4.1 designation; first shipped with as much as 1GB RAM upgrade and the other two only a 2GB RAM*, (one white/one black color) according to this information...
• MacBook "Core 2 Duo" 2.1 13" (White-08) 2.1 GHz Core 2 Duo (T8100)
• MacBook "Core 2 Duo" 2.4 13" (White-08) 2.4 GHz Core 2 Duo (T8300)
• MacBook "Core 2 Duo" 2.4 13" (Black-08) 2.4 GHz Core 2 Duo (T8300)
...as seen here: http://www.everymac.com/systems/apple/macbook/index-macbook.html
*But according to MacTracker (free: download database) http://mactracker.ca
these MacBooks can use more RAM in aftermarket specs as much as:
Maximum Memory
6.0 GB (Actual) 4.0 GB (Apple)
Memory Slots
2 - 200-pin PC2-5300 (667MHz) DDR2 SO-DIMM
To get more information use a service such as this...
•identify by serial number:
http://www.powerbookmedic.com/identify-mac-serial.php
The Apple? store or whoever you talked, to may have been as accurate as they could be without further research. Could be you may have a newer or older MacBook, which would change whatever later OS X it could run past 10.6.8. And to go past Snow Leopard, you need to download the last bits for 10.6.x to be able to go and get any later upgrade. The ones that may let a newest iphone or ipad work with it, are past SL10.6.8
Anyway, as you further verify the model build year and configuration specifications, report back.
Good luck & happy computing! -
An email sent from my iMac has a button linked to a clip hosted on Vimeo. When received, the link functions on iMac and iPad, but opens a window of app icons on iPhone and iPod touch. Any ideas what's wrong?
For anyone else reading this thread, it is worth knowing that sometimes an email is, or can be, corrupted thereby jamming the works. The solution above is good, but I just wanted to suggest another one.
If the problem arises, go to an online mail access service, such as Mail2Web.com and login to you mail account there and delete the offending message.
Problem solved.
And George, as this is all entirely voluntary, whinging about no takers may not endear people to you. Besides which, a few minutes of searching on Google would have found you a number of solutions.
Maybe you are looking for
-
Hi, Here is the situation. We have a word document stored in third party system. It has got links to SAP (through fields in [http://help.sap.com/saphelp_erp2005/helpdata/en/aa/8c27fbaed511d3957200a0c92f024a/content.htm] word) . Now I want to put a
-
Ordered a new IPad with the Vzw plan. Apple lists it as having the 1 gig for $20 option. Vzw no longer lists that plan as an offering. Will the Apple order be considered as a grandfathered in offer? Or will I have to exchange for one with the AT&
-
TO_CHAR not Scientific Notation
I want to convert a number to a string but guarantee that the result will NOT be in scientific notation. TO_CHAR(num, '9999999999.99999999999999') is not very convenient since the data type of the number is BINARY_DOUBLE and I will not know how many
-
Hello everyone, I work on JCOP30 smart card and I would like to create a signature with this card ,JCOP 30 can supports RSA algorithm,I use Eclipse tool for programming an Applet. I can create signature successfully but when I repeat the creation of
-
How do I find and change system password
I just bought a Mac Mini with OS 10.5 on it, and I want to get software updates, but don't have the Password, and don't have 10.5 install discs.