topic Single PC restriction for Windows Login in Network Access Control

Single PC restriction for Windows Login

nikhilcherian — Mon, 24 Sep 2018 18:56:35 GMT

Hi All,

Generally when a user is added in the domain, the user is added in a way he can login to any of the computers in the domain. I have a specific use case in which the domain admin wants to restrict a user to login specifically to only one PC. The moment this restriction is made in the AD, the ISE authentication fails for this user. I have tried allowing the user to access this particular PC as well as ISE, however that also didn't succeed

Any idea, when ISE sends the auth requests to the AD, how does the AD consider this request. Does the AD consider the user to login to the PC/ISE/switch

Regards

Nikhil

Re: Single PC restriction for Windows Login

paul — Mon, 24 Sep 2018 19:37:19 GMT

If you add the ISE PSN computer accounts in AD to the logon to workstation restrictions that should allow their account to work. You are saying that doesn't work? You could also switch ISE to using LDAP to AD which shouldn't trigger a logon to workstation restriction.

Re: Single PC restriction for Windows Login

howon — Tue, 25 Sep 2018 16:30:54 GMT

Just to add to what Paul mentioned. When ISE is integrated with AD, each ISE node become a computer object in the domain. When user authenticates via 802.1X, user is essentially logging on to the ISE node (Which considers to be logging on locally in terms of Windows user rights). Since PSN persona processes the authentication requests, you should add all of the PSNs to the allowed computer list for a give user along with one's Windows PC.

Re: Single PC restriction for Windows Login

nikhilcherian — Tue, 25 Sep 2018 17:58:00 GMT

I will double check this with the AD team & confirm if they have added all the ISE Nodes to the allowed list

Thanks