topic ISE best practice for computer authentication question in Network Access Control

ISE best practice for computer authentication question

BrianPersaud — Mon, 29 Jul 2019 14:39:41 GMT

Hi All

I am in the process of deploying ISE at a company. The question is focused on wired authentication for AD joined computers.

Is there a benefit of doing authorization using certificates vs ISE checking if the computer is in a particular AD group e.g. Domain computers?

I am on ISE 2.4 Patch 9

Thanks

Brian

Re: ISE best practice for computer authentication question

hslai — Mon, 29 Jul 2019 17:11:16 GMT

Some benefits of cert-based auth are

AD replications on password changes could be slow
Password authentication might not be allowed; e.g. Microsoft Windows Defender Credential Guard

Re: ISE best practice for computer authentication question

Damien Miller — Tue, 30 Jul 2019 02:49:15 GMT

You can still check group membership or AD attributes of machines when doing certificate authentication. It is common to leverage one or the other to provide differentiated access while doing machine certificate auth.

Taking it a step further you could also leverage AnyConnect NAM with eap-chaining, authenticating both the machine and user at the same time.

It really comes down to the unique requirements of the deployment, no one is the same and there are many valid methods.