Profiling devices

Similar Messages

• I can't add my MacBook Pro to "My support Profile" devices

  I just changed my MacBook Pro from one iCloud account A to account B. I then logged in 'My Support Profile' on account B to add it to 'My Products'. When I typed in the serial number, I got the message
  "According to our records, this serial number is registered to another Apple ID. If you have more than one Apple ID, log in to My Support Profile with that Apple ID to see your other registered products."
  I then logged in to account A to check if the device was maybe still listed on it; it wasn't. So, I believe "your records" are wrong - is this just because of a delay of a couple hours or is there a more serious problem?
  By the way, I've been able to download iCloud music on my MacBook from account B, so it's definitely communicating with account B all right.

  sbgirl54 wrote:
  So, I believe "your records" are wrong - is this just because of a delay of a couple hours or is there a more serious problem?
  You aren't addressing Apple here.  This is a user to user technical support forum.  Also, this has nothing to do with iCloud, even though you may have registered it with the same ID you use for iCloud.  Regardless of what ID you use for iCloud, you can register your Apple product with any valid Apple ID.

• Function module to create formula profile : Device Management/ EDM

  Hi experts!
  We create Formula profile against register 2 of the bi-directional device using transaction EEDM06.
  We create profile header by using function module "ISU_S_PROFHEAD_CREATE" but this function module doesn't have input parameter that need to passed specifically creating Formula profile like-
  Formula Prof. Calc = ZNET (fixed)
  Status Group = (i.e., value valid, est man, changed/entered, from date) fixed
  Profile = Profile1 as allocated to RG-002. (always)
  After saving this Formula profile header, allocate the profile to Device is also couldn't be done using function module ISU_S_PROFHEAD_CREATE .
  Please help me is there specific function module to create Formula profile. If you need any clarification, please suggest.
  Thanks,
  Rohit

  you could also create a master data template in EPRODCUST for MD Template Category   INSTALLATION & EDM_PROFHEAD if you need to create the profile header.
  We've wrapped some in function module interfaces for easy automation.
  ISU_S_LPASSLIST_MAINTAIN is an internal function, so I dont recommend building anything on it.

• ISE - How long ISE will hold the profiled devices?

  Hi,
  After ISE profiles a device, for how long it holds that information in the endpoint identity store? Is there a purge mechanism? The reason I ask is, what if a guest comes and connects to a network and never comes back again. Will ISE hold the profiled MAC address of the device for ever?          Is there a way to purge if the MAC is not seen on the network for x days? Or is there a manual purge?
  Any help is appreciated.
  Regards,
  Mohan 

  I have an enhancement request in TAC asking for this feature. I have an ISE deployment which wants users to be statically assigned which will overwhelm the db after some time. I will have to check my notes and will forward the bug id to you.
  Thanks,
  Sent from Cisco Technical Support iPad App

• Distribution Provisioning Profile - Device ERROR

  Hey,
  I created a Distribution Provisioning Profile, but somehow, I get an error...
  When I click Build and Go I get an alert window: The the device doesn't have provisioning profile the application was signed with. (iPhone SDK 2.2.1)
  It's strange, because I have the Development Provisioning Profile on my iPod Touch, but somehow, I can't sign it for distribution.
  Can someone tell me, what the mistake is? I created an other Distribution Provisioning Profile maybe 3 months ago, and that worked, so it is really strange, having these problems now.
  Thank you very much in advance!

  Start over...
  Did you create/download all three of these?
  • yourapp_nameprofileName.mobileprovision
  • distribution_identity.cer
  • AppleWWDRCA.cer
  Did you keychain access/approve the new distribution certs?
  Did you toss all the new k'chained d'certs onto the project?
  Did you clone the app's release configuration and rename it 'Distribution'?
  Did you select the new 'iPhone Distribution' code sign profile for both instances in the apps's build tab?
  Did you close/open the project after the above?
  Did you configure the project for device and distribution & build for release in all the right places?
  Did you include a 57X57 app icon in png format?
  Again, if the error mentions 'device', you still have a 'device' provisioning certificate mixed into the 'distribution' process at some point. Sorry, but I can't tell what you may have done to get to that point, exactly.
  In my experience, it is quicker to clean out and start over with fresh distribution certificates, repeating the entire distribution/configuration/build/upload process, step-by-step, than it is to probe for one or more 'things' that may be contributing to the problem.

• Team Provisioning Profile Devices issue

  Hi there,
  I got a problem with added devices in my team provisioning profile.
  In my Dev Center I see all devices I have added (7). 4 of then has 1 Details in profiles and 3 do not.
  My online profile says I have 4 devices in my profile and refreshing in organizer do not work as I axpected - i see onle my iPhone and 3 other devices.
  What could be the problem with 3 other devices and how to get it working with all registered devices?
  many ths for help

  Solved!
  it was just a distribution profile not installed in XCode.
  The case is closed - sorry
  regards

• ISE Profiled devices not being used in authz policy.

  ISE is standalone.
  ver 1.2
  Eval license.
  I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
  However when this is used in an Authorization Policy it never matches.
  Just a basic Policy:
  if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
  I can change Identity group to ANY and it works.
  Sure i must be misssing something but I've gone round and round with this.
  Tried deleting enpoints and allowing them to repopulate....failed.
  Tried changing endpoints to static with no luck.
  Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
  Whatever i've tried just ends with the Authz going to the "Default" policy.

  Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
  1. Enable the top authentication rule called "MAB"
  2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
  3. Ensure that "Internal Endpoints" is selected for the Identity Store
  4. Test again
  Thank you for rating helpful posts!

• ISE Not Profiling Non-Domain Devices

  I am having an issue where ISE is not profiling devices that do not belong to our domain. Machines with computer accounts in our domain get profiled with no issue. It does not matter if it is an apple device, windows device, or android device. The user can successfully get a prompt for their username and password, however they will get an error stating 'Incorrect Username or Password'. If I drill into the failed attempt, they get a 15039 Authorization Failed and it assigns DenyAccess to them. If I find the device by MAC address in the profiled endpoints, it remains UNKNOWN. If I manually assign a profile, then it lets the device on and successfully identifies the user. I need to be able to allow users to use their devices to gain access to the network.
  SYSTEM INFO
  ISE Ver: 1.1.4.218
  Stand Alone Mode
  Profiling Setup
  DHCP - Interface ALL - Port 67
  HTTP - Interface All
  Radius
  DNS - Timeout 2
  Authorization Policies
  Wireless Blacklist Default - if Blacklist and Wireless_802.1X then Blackhole_Wireless_Access
  Profiled Cisco IP Phones - if Cisco-IP-Phone then Cisco_IP_Phones
  OnlyMachineAuth if AD1:ExternalGroups EQUALS EDUORG/Users/Domain Computers then PermitAccess
  Guest if WLC_Web_Authentication then Guest_Profile
  Employee if (Apple-iPad OR Workstation OR Android) AND (Wireless_802.1X AND AD1:ExternalGroups EQUALS EDUORG/User Accounts/All Employees AND AD1:ExternalGroups NOT_EQUALS EDUORG/Students/All Students ) then Employee_Profile
  Student if (Apple-iPad OR Workstation OR Android) AND (Wireless_802.1X AND AD1:ExternalGroups EQUALS EDUORG/Students/All Students AND AD1:ExternalGroups NOT_EQUALS EDUORG/User Accounts/All Employees ) then Student_Profile
  Default if no matches, then DenyAccess
  Any help would be greatly appreciated
  Thanks,
  Kevin

  Sorry for not explaining further. The guest network works flawlessly. Employees and students are the ones having the issues. They connect to the employee and student networks. The guest network is soley for guests. Employees and students still connect to their respective networks.
  Employees, for example would connect to the 'employees' network. They are unable to connect with their personal device. With their district issued laptop they can get on with no issue. Their district issued laptop is a windows machine which is joined to the domain. However, if a district employee decides to bring their ipad, they will still connect to the employees network. This is where they get the issue. It will not let them connect. It prompts them for their username and password, but then does not allow them on. The same applies to students.
  I hope this clarifies it a little better
  Sent from Cisco Technical Support Android App

• Logical Profiles in ISE 1.2.1

  I´m having trouble understanding the Logical Profiles. 
  What I understand from the user guide: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#58510
  for those to lazy to read: 
  You can use the logical profile in an authorization policy condition to help create an overall network access policy for a category of profiles. You can create a simple condition for authorization, which can be included in the authorization rule. The attribute-value pair that you can use in the authorization condition is the logical profile (attribute) and the name of the logical profile (value), which can be found in the EndPoints systems dictionary.
  so I thought that meant that I can group Different Profiles (Apple Iphone, Ipad, Ipod) together into a logical group e.g. "BYOD_Idevice" and use this logical profile in the Authorization. 
  But I can´t choose this freshly created Logical Group in the Authorization Condition. As for the fact, I can´t choose this logical group ANYWHERE. 
  Leaning back and thinking about it - it somehow makes sense. In the Authorization, you don´t pick Profiles, you choose Identity endpoints. So whats the point about the logical profiles? I was hoping to clean/lean up my authorization rules with them. But for what would I use them else? 
  Or is this a bug in ise 1.2.1? Not sure if I should call tac about this, or if I´m just not getting it :D
  Thanks alot for your help!  

  Nice username! :)
  So yes, you are correct, the logical profiles would allow you to group different type of dynamically profiled devices and then reference that profile in your authorization rules. However, you won't see those logical profiles under the "Identity Group Details" section. You will need to leave that field blank. Instead, you need to look in the "second" condition box: expression > Endpoint > LogicalProfile
  Hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 Profiling with iPAD Mini and Chromebooks

  Anyone run into issues with profiling device properly with iPAD mini and Chromebooks.  Recent testing with customer shows that ISE was not able to identify the devices properly.  We have a case opened with Cisco, they came out with a patch for Chromebook last week but still broken, continuing to pursue with TAC.  Just wondering what others have came across.                  

  Hi Tarik,
  Thanks for the reply. I am testing this for Mike. We have setup ISE 1.2 ( running latest patch 4) for wireless BYOD
  Issue: Chrome Book Device Registration - Not Supported
  Issue: Chrome Book Profile - Unknown
  Probes Enabled - DHCP / RADIUS / HTTP / SNMP

• Best authentication method for controlling DEVICE access to wlan

  Hello,
  I have a similar question to this thread ( https://supportforums.cisco.com/message/3927713 ) but I'm interested about device control on top of user control. Just like that thread, we are using WPA2-AES Enterprise with PEAP MSCHAPv2, which allow users to log on with their domain credentials. We wanted something simple for our users, so MSCHAPv2 with "single sign on" was optimal to us.
  Problem is, we have a new requirement and we need to implement it yesterday. We would like to allow only mobile devices and computers of our choice.
  Since we are using MSCHAPv2 which allow every domain user to connect using any device as long as their domain credentials are valid, is there a simple way to control this ?
  I guess we could go with MAC filtering, but we have about a thousand laptops. Not a big problem, we could do a regular MAC address inventory using SCCM. It's just that it looks like a brute force tactic to a simple problem. Would a Cisco ACE 4.1 RADIUS server tolerate well a MAC address table with a thousand entries ? What if it goes to two thousands ? Would this be easy to implement ? I'm a bit new to this, is there some documentation I could follow ?
  How do people usually do this in an elegant way ? How do you manage and control WLAN access to thousands of device ? I guess they go with TLS with certificates ?
  Thank you very much !
  Konnan

  Konnan,
  Just saw your PM:)
  Would it be possible to configure Access policies even if our Radius servers aren't joined to the domain ?
  > I really don't know... typically all my installs have the radius server joined to the domain.  I don't know what limitations you would have using the setup you currently are using.
  Still wondering if it would be a good path for us, because of the computer authentication issue where it happens only at logon in Windows if I read correctly and our users don't have the habit to log off frequently and we use only manual connection mode when the user already has his session open. I guess MAR will have to be set to a stupid high value... if it even works.
  > Well you need to sit down with everyone who is involved and really think out what works best for you.  Machine authentication works well, but then people wonder what happens if someone logs in that isn't authorized and that because the computer is a domain computer it automatically gets on the network.  Well your not going to get everything you want:)  So PEAP has issue because IT wants to limit the user to only be able to access using a company owned device... well, then ISE is your fix.  You can add a certificate that ISE can see and if that device has that or a registry value and the user is allowed to access the network, the authentication is allowed, or else it will not be.  EAP-TLS... well more work since you need a PKI infrastructure and both the radius and the clients need a cert...
  No matter what, you need to decide what works best and don't over complicate it with adding mac filter, etc.
  I'm wondering if EAP-TLS wouldn't be better for the long term, maybe with MAC Address restriction on the short term...
  > See above
  I'm also wondering if we could stay with PEAP MSCHAPv2 but use an NPS Radius server from Microsoft which allow to use complex policies instead of the Cisco ACS Radius server...
  > You need to know how to setup and configure the policies... either one will work, but if your on ACS 4.x, I would look at upgrading to 5.4.  ISE is replacing ACS as far as the radius portion, but tacacs isn't yet available on ISE.
  There's also the Cisco ISE, which seems to be equivalent to Microsoft NPS... a bit more costly OTOH.
  > ISE allows you to profile devices so you know what device is accessing your network.  Again, ISE is replacing ACS as far as the radius, but tacacs will soon be out and available for ISE.  If you really want to create crazy profiles, then ISE is the way to go.  You can specify that this user group is allowed wireless, but it has to be a domain computer.  The user isn't allowed access if its not a domain computer.  The same user group is allowed access with company iPads (certificate installed), but not have access with personal iPads, tablets or smartphones.
  Hope this helps.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• NAC Profiler 2.18: Endpoint Profiles Missing

  This is a licensed Nac Profiler which has no canned Endpoint Profiles included.
  I go to Configuration--->Endpoint Profiles---> View/Edit Profile List
  The message I see is "No Profiles Found"
  Please clue me in on what I am missing.
  This is from the install guide:
  "Enabling Existing Endpoint Profiles
  Cisco NAC Profiler ships with a number of predefined Endpoint Profiles that have been created and tested in field deployments. These Profiles can be re-used as-is if desired, or may be modified as the situation dictates. In addition, they serve as templates for creating new profiles as outlined later in this section, and illustrate how different rule types and varying levels of certainty can be used to accurately Profile devices.
  To view the list of Endpoint Profiles that are currently available in the system configuration, navigate to the Configuration tab, and select Endpoint Profiles option from the global navigation menu in the far left hand pane, or select Endpoint Profiles from the leftmost column of the table on the main Configuration page. Select View/Edit Profile List to display the Endpoint Profiles currently saved in the system configuration."
  Thanks.

  To verify that Cisco NAC Profiler is populating entries properly in the Device Filter list of the CAM, log into the CAM as administrator. Select the Filters button under Device Management in the left-hand navigation bar. The following screen displays in the main pane of the browser, enumerating all the endpoints currently on the CAM Device Filter list.
  After configuring the Server module parameters, adding NAC Events, and performing a Synchronization process (full or NAC Event level), the endpoints that are in the Profile(s) matching enabled (and synchronized) NAC events should be populated to the device filter list of the CAM.
  http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_integration.html#wp1055729

• Color Profile on a MacBook Pro

  Hi all,
  I'm a novice user of Aperture and a novice user of Digital image processing as well ... so, as usual in this case, i apologize if everything i'm gonna ask, or a part of it , has been discussed in depth yet ... please point me there
  I have a macbook pro and i started post processing my images with aperture in the last 3 weeks. now i've been able to connect a second monitor , a philips 107s, and i hit the common problem of different colors displayed on the 2 monitors ... i spent almost 1 day trying to make the philips match as much as possible the colors of my macbook but even if i think i reached a good matching i can still see a clear difference beetween them.
  What i see is that on the macbook every image has *Much More* contrast then on the philips. I like more the way the pictures are show on the macbook then on the external philips ... but now i'm wondering wich one is correct or better i'm wondering how my pictures will appear when printed by a standard internet printing service.
  I'm scared that i wasted all my time post-processing on the macbook ...
  thanks in advance
  Francesco

  First of all, you really need to get a hardware profiling device like the EyeOne (or equivalent). That will help you get the colors to match... but even more importantly it will measure the luminance of the screen, you'll probably have to turn down one of the screens to match the other, which will also help them look the same. Because they are pretty different display types I don't think they are ever going to quite look identical though, as they have different abilities.
  Now as for printing, what you really need to do there to be safe is to turn on Aperture's soft proofing view for the device you intend to print to. Then you can review your edits and see if the images will have any problems. This is also where a hardware profiler comes in handy because until your display is profiled, you really can't quite rely on even the softproofing view in Aperture (or anything else on the system).

• ICC Profile vs Photoshop vs Image

  Hi guys,
  First of all, please forgive my poor english.
  I have as usual been through all the forum-reading, answer-searching stuff.
  I've been having a problem with Photoshop color management since my last Windows upgrade to 7.
  Colors just won't display the same in Photoshop and outside Photoshop.
  I understand this has something to do with ICC profiles and applications being color managed or not.
  I just downloaded an ICC profile supposedly corresponding to my monitor (there : mine is the Dell E228WFPc, but their icc is for the E228WFP http://www.focus-numerique.com/test-42/-telecharger-un-profil-calibre-pour-son-ecran-dell- 24.html I decided to try it anyway, and the colors look good...).
  I don't know what makes photos not look the same inside of Photoshop. It's the case for all photographs, including those that I postworked before my reinstallation of Windows.
  What would you suggest ?
  Thanks in advance for your answers.

  Color-management is simply the process of interpreting the colors in an image per a given document color profile, then preparing them for proper display on a device using a given device color profile.  Profiles describe how color values are interpreted into real colors that we see.
  Some of the first things to keep in mind with color-management are these:
  Not all applications are color-managed.  Many do not look at your monitor profile, and almost as many don't even look at your document profile.
  Given the above, colors can be expected to look different in images displayed by applications that ARE color-managed vs. those that ARE NOT.
  So in your case Photoshop, which is fully color-managed, is using both your image profile and your monitor-specific profile (and assuming they're accurate) to determine how to display colors on your monitor. This is NOT being done AT ALL in some apps, and only HALF being done in others (e.g., IE9 interprets the document profile but assumes your monitor is sRGB IEC61966-2.1).
  You're seeing the differences.
  Now, what's not a given is that your color profiles are accurately representing the color spaces of your document or display monitor.  You may have prepared your document properly using a particular color profile, but what steps have you taken to ensure your monitor color profile accurately matches your monitor?  That it's "the one" provided by the manufacturer may seem to be enough, but you don't really know what on-monitor settings or video card or cabling the manufaturer used to profile it, nor did they profile your particular copy.  In short, factory monitor profiles are notoriously inaccurate.
  You can choose to go in one of three directions:
  1.  Assume your factory monitor profile is accurate enough and just keep everything as it is.
  2.  Purchase a profiling device, follow their process for calibrating / profiling your display, and be sure your profile is accurate.
  3.  Assume your factory monitor profile is INACCURATE, replace it with the standard default sRGB IEC61966-2.1 profile, and work to set your monitor controls and video card curves manually to make colors displayed with the sRGB profile and this monitor as accurate as possible.
  The 3rd scenario actually has some advantages if you can accomplish it.
  -Noel

• ISE integration with Mobile Device Management ( MDM ) help required

  Dear Techies,
       Am here bring to your notice an different issue and no much resources to support even in PEC or Cisco Document.
       We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
  Setup Brief :
  =========
        Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory
       Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
  Activity Brief:
  =========
       As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
  Clarifications Required
  ================
  Wired Scenario - Require some configuration / steps on how to carryout posture for the guest wired users i.e. LAPTOP.
  Wireless Scenario
  MDM can be integrated to ISE ? 
  How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
  What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
  If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
  Is MDM will do client provisioning or ISE should do ?
  Is MDM send or update patches of Mobile Devices ?
  As of now these are the scenarios, kindly revert if any good documents to show this or share your expertise on the Integration Part.
  Thanks for Reading...
  Arun

  I would like to avail your valuable inputs to understand on the  Client provisioning part for the Mobile Devices/ Laptop. I understand  from your reply that MDM integration is not available in the current  release ISE 1.1 - That is correct.
  Kindly let me know your views or any documents on the following scenarios with the current release in mind
  1. User  with Mobile devices connecting to Wireless  ( both Employee  and Guest ) , How the Flow differs for the Employee and Guest.  How the  client provisioning is done ( i.e. Like Posturing  or Compliance Check  ).
  The posturing and compliance check is done based on the user authentication information (i.e. AD memberOf vs Guest user) combined with the users endpoint (windows, mac osx, or a mobile device), ISE then has a few decisions to make based on the authorization policies. For example, if a Domain User coming from a Windows 7 machine joins the network, then can either use the nac agent, or the web agent. Then you can scan for registry settings, file settings, program requirements, hotfix compliance...and the list goes on. If the user fails a check then you can either assign an acl for the user so they only have guest access, or you can place them into a remediation vlan the options are entirely up to the requirements and however the solution is implemented.
  2. User  with Laptop  connecting to Wireless  ( both Employee  and Guest ). How the client provisioning is done ( i.e. Like Posturing   or Compliance Check ).
  Guests are usually redirected to the guest portal which they authenticate and their user group falls within the Guest container that is on the ISE internal database, that is usually coupled with an authorization profile that grants them internet access. For the client provisioning, that is usually done based on the operating system, via profiling (dhcp, and user agent string., netmap...etc) and can be fine tuned for all laptops or to a specific set of users based on their group membership.
  3. What are advantages of having ISE also in  place for Mobile devices, since most of the Mobile related tasks ( like  Authentication, Authorization, Profiling and  Posture ) are carried out  by MDM. I am checking for the significant advantage of having ISE for  Client network having only Mobile devices. Kindly clarify.
  Currently the advantage of Cisco ISE is that it supports profiling within wireless and really fits well within a network that has mostly Cisco products since they are all part of of the Borderless security initiative being driven on the backend. The product teams for wireless, wired, security (vpn..etc) and ISE are pretty close in building their solutions so that you can get connected with any device any where (sorry for the sales pitch). The latests wireless code is improving and is going to have support similar to the ios sensor for wired devices where dhcp, cdp, and other attributes can be sent in the radius packet for better profiling decisions. With integration for an MDM platform coming soon, and also support for TACACS rumored (have to verify with your account rep) you have options that really stand out from a unit that only supports MDM. Cisco ISE also comes with a wireless product ID so that makes the budget work when it comes to deploying ISE if you arent looking for enforcement on your wired devices.
  4. Do you recommend 802.1X Authentication to use for the Employee and Contractor? The Guest user  authentication as Open ?
  For internal users and vendors the best option by far is dot1x, almost all operating systems are capable of performing dot1x and the 1.1.1 MR has a piece now that can provision the supplicant for the users, by using scep to enroll certificates or configure peap settings.
  There is a feature within the guest portal that allows you to statically assign guests into endpoint group, that feature is called device registration web authentication. It seems like an open network but uses mac filtering to assign these devices to an endpoint without requiring users to enter any credentials. They are presented with an AUP page, once they accept their mac address is mapped to the endpoint group
  5. How can we ensure the Encryption of traffic from the Guest user to the NAD ( Network Access devices ) ?
  This may be a wireless question but I am sure the encryption is done using AES and using dot1x as the key management here is a brief background for this - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#L2
  You can also use the anyconnect client which can provide macsec which is layer 2 encryption for wired - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html
  6. We are also looking for VDI  ( Citrix, VMware ) solution for the  client  ( both Employee and Guest ) , how ISE can play a role in  securing the VDI environment.
  For most thin clients you can perform dot1x authentication on the device itself, however that is something the manufacturer will have to support. This is a little gray for me.
  7. Is that any integration required  with Citrix or VMware. How the  VDI can be offered based on the User  role ( i.e. Employee, Contractor or Guest ), since Guest database is  available only with ISE, how the checks are made from the VDI  environment.
  IN ISE there is an identity sequence which can authenticate users in AD first, if the user is not found then it can look in the internal database.
  Our solution demands  MDM in the integrated  solution, As on today ISE cant be integrated with MDM. so what kind of  solution we can propose to have MDM and Cisco ISE .Do the clients now  enter the network should have already installed the MDM agent (or) any  other way of pushing the same to the Client.
  Today there is no integration between the devices, the last release time I heard was December for this feature. However it would be best to confirm with your Cisco Account rep on this issue.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*