topic Thanks Neno, in Network Access Control

ISE 2.0 Domain & Non Domain Machine Auth Problem

kamlenegi — Mon, 11 Mar 2019 06:40:59 GMT

Hi,

Can anyone suggest me for ISE 2.0 authorization policy for Domain & Non Domain machine.

Requirement: Domain machine should authenticate from domain user id & password using PEAP. but non domain machine should not authenticate by using domain credential in windows supplicant.

I am trying it using user or computer setting and selecting authorization policy (domain computers & domain users)

Thanks

Kamlesh

hi Kamlesh-

nspasov — Tue, 19 Apr 2016 16:32:45 GMT

hi Kamlesh-

You can definitely do that. What you will need to do is:

For Authentication:

- Allow PEAP MSCHAPv2 as the allowed authentication protocol

- Select Active Directory for the Authentication Store

For Authorization:

- Create a rule that checks that the endpoint is part of the desired AD group (for instance, domain computers)

- Deny everything else

The Windows Computers should be configured to:

- Perform PEAP based authentication

- Computer type authentication only

- Set to trust the CA that signed the ISE certificate

I hope this helps!

Thank you for rating helpful posts!

Thanks Neno,

kamlenegi — Wed, 20 Apr 2016 07:10:08 GMT

Thanks Neno,

I have done this for domain users but now facing problem some time domain users getting APIPA ip address initially and after release/renew they get actual IP. Same issue is happening with Guest Wireless users. Is there any KB for windows 7, Service Pack 1 , 32 bit OS.

Thanks

Kamlesh

Sounds like the DHCP requests

nspasov — Wed, 20 Apr 2016 17:27:32 GMT

Sounds like the DHCP requests are timing out and as a result the client is getting the 169.x.x.x address. What values do you have for your timers?

Thank you for rating helpful posts!

Hi Neno,

kamlenegi — Thu, 21 Apr 2016 11:14:36 GMT

Hi Neno,

Attached snapshot for timer. One more question for regarding license, ISE is consuming license for old connection which is not active but showing authenticated & started. Is there any setting do I need in ISE.

Thanks

Kamlesh

So you are doing a VLAN

nspasov — Sun, 24 Apr 2016 01:14:24 GMT

So you are doing a VLAN override on the guest clients? The reason I ask is because I have never been able to get that feature to work well. Instead, I have always preferred to use DACLs (Switched Guests) and Named-ACLs (WLCs).

If you must use that feature I would suggest increasing the timers a bit and see if that works.

For your licensing question:

The Cisco ISE license is counted as follows:

A Base or Advanced license is consumed based on the feature that is utilized.
An endpoint with multiple network connections can consume more than one license per MAC

address. For example, a laptop connected to wired and also to wireless at the same time. Licenses

for VPN connections are based on the IP address.

Licenses are counted against concurrent, active sessions. An active session is one for which a

RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received.

Note Sessions without RADIUS activity are automatically purged from Active Session list every

5 days or if the endpoint is deleted from the system.

To avoid service disruption, Cisco ISE continues to provide services to endpoints that exceed license

entitlement. Cisco ISE instead relies on RADIUS accounting functions to track concurrent endpoints on

the network and generate alarms when endpoint counts exceed the licensed amounts:

80% Info
90% Warning
100% Critical

Thank you for rating helpful posts!

Thanks Neno,

kamlenegi — Mon, 25 Apr 2016 09:14:40 GMT

Thanks Neno,

I am changing the solution for guest and assigning IP address which is unauth.

One more question regarding mobile wireless users in flexconnect. It seems that flexconnect environment doesn't support mac filtering. Is there any way ISE support mac authentication for mobile devices. My requirement is three group of mobile users should get different subnet which is possible from WLC making three ssids but should mac authenticate which is not possible in WLC using flexconnect. Three different subnet is required for Proxy filtering.

Thanks for your help.

You are most welcome!

nspasov — Mon, 25 Apr 2016 15:39:38 GMT

You are most welcome!

Regards,

Neno