topic Re: Machine/computer Authentication in ISE in Network Access Control

Machine/computer Authentication in ISE

Srinivasan Nagarajan — Mon, 27 May 2019 13:31:21 GMT

Hi Experts,

I'm new to ISE and we've setup machine+user authentication. While going through the machine authentication, in one of the blogs, described as : When a Windows desktop machine joins Active Directory, there is a computer account that gets created and a unique password is negotiated between the machine and AD.

So,this computer account can now be used to identify the machine, even when no user is logged in, which can be used to provide the machine access to the network and machine authorization policies are enforced. So, we've setup the policies as below:

Rule no 1:

Ise.local:ExternalGroups==Domain Computers

With the 1st rule, machine will get authorized access when it boots up ( Before user enters his credentials)

Rule no 2:

Network Access:WasMachineAuthenticated ==True

AND

ise.local:ExternalGroups==Domain Users

Now in 2nd rule user will enter credentials and he will get authorized access.

Since we've MAR (Network Access:WasMachineAuthenticated ==True) in place, only machine which was authenticated earlier will be allowed, right...My Query is what if PC (new one) that has never joined before AD will be authenticated and granted access..? Please assist.

Re: Machine/computer Authentication in ISE

aivanin — Tue, 28 May 2019 06:12:00 GMT

Hello,
why it is authenticated if never joined to AD? It not authenticated because isn't consists on Domain Computers group.

Re: Machine/computer Authentication in ISE

craig.beck — Tue, 28 May 2019 10:21:28 GMT

If a PC isn't a "Domain Computer" it won't get access, according to your policy.

Typically you'll need a rule at the top of your policy to allow PCs to connect based on MAB, or you could use PEAP to allow a "Domain User" to authenticate so you can do the domain join on the PC. Once that bit is done the PC will authenticate.

Take care if you use PEAP though as you could be allowing any domain user to connect any device to the network if you use the "Domain Users" AD group. I would create a specific security group in AD for this purpose and use that group in a rule, so only a specific user (or group of users) can perform this task.