topic Machine and User Auth on ISE in Network Access Control

Machine and User Auth on ISE

rajan.pradhan — Mon, 11 Mar 2019 02:51:01 GMT

Hi All

Im using ISE for 802.1x auth of wireless users coming from a cisco WLC, all working perfectly fine, except I want to be able to restrict the authorisation to both active directory domain users AND computers, ie to use wireless you have to have a corporate computer that is on the domain. Having a real struggle with this, cant find a way to profile computers based on domain membership, or any way to authenticate both user and computer concurrently. Any help gratefully appreciated

Thanks

Machine and User Auth on ISE

edondurguti — Mon, 03 Dec 2012 17:37:02 GMT

Rajan,

This might help you.

https://supportforums.cisco.com/docs/DOC-27927

Also if you want to allow only DOMAIN COMPUTERS to be able to join the wireless you can set an Authorization Rule:

for example:

AD1:ExternalGroups equals Your.AD.Domain/Domain Computers AND

AD1:ExternalGroups equals Your.AD.Domain/Domain Users = ALLOW ACCESS

you will just need to go to Administration and add these groups to the store.

Machine and User Auth on ISE

rajan.pradhan — Tue, 04 Dec 2012 08:04:58 GMT

Thanks for that. Your suggestion is the first thing I tried originally, but it does not work. The problem is that after a user logs on to the PC, windows sends PEAP authentication for USER only, it does not authenticate the machine any more (under WindowsXP). So any Auth policy which tries to match machine AND user attirbutes causes auth to fail.

I need a way to force the client to authenticate by machine, or ISE to profile the endpoint by domain membership...

Machine and User Auth on ISE

spellluck — Wed, 05 Dec 2012 21:20:35 GMT

Rajan,

Windows does not natively support this. Machine Authentication via domain lookup occurs only during user login, and then you need to set as PEAP after the fact. In order to achieve the same affect, I deployed Cisco AnyConnect Secure Mobility client.

It will seem confusing at first, but what you'll want to do is download the AnyConnect 3.1 Standalone Profile Editor, and take a look at setting up a profile with it. Then you'll see what you can do in order to make the authorization rules in ISE.

I opted to use EAP-FAST and EAP-CHAINING in ISE 1.1.1 to do it. I then had my domain machines authenticate via machine certificate pushed out via GPO and then username/password discovered during login process. If it isn't cached from that process, it'll prompt the user again.

Hopefully this helps.