topic Using ISE 2.3 for 802.1x on wireless - domain joined computers only in Network Access Control

Using ISE 2.3 for 802.1x on wireless - domain joined computers only

RasmusAndersen1989 — Thu, 14 Dec 2017 12:11:26 GMT

Hey everyone

i am trying to create a SSID that authenticates towards the ISE server, the only condition that should allow anyone to join is that their machine is domain joined.

I am having issues using domain groups to match in my policies? i tried retrieving external groups via administration - External identity Sources - Active directory - and groups, i have retrieved domain admins, domain computers, and domain users.

but i can't find them anywhere when i want to define policy sets. am i understanding this the wrong way?

anyone that could clarify?

Re: Using ISE 2.3 for 802.1x on wireless - domain joined computers only

RasmusAndersen1989 — Thu, 14 Dec 2017 12:23:39 GMT

as you can see my ise servers are joined with the AD

i found these groups, that i wanted to use.

i tried finding any of the domain groups in admin groups as well, since i also want to use domain users to access the ISE server for management.

Re: Using ISE 2.3 for 802.1x on wireless - domain joined computers only

Jason Kunst — Thu, 14 Dec 2017 22:17:19 GMT

researching

Re: Using ISE 2.3 for 802.1x on wireless - domain joined computers only

hslai — Fri, 15 Dec 2017 00:54:37 GMT

We need save the groups after select the groups from directory in the groups tab of Active Directory. After that, we should be able to use them as conditions in ISE authorization policies of any policy sets and to use them to authorize AD users to manage ISE.

To allow domain-joined computers on wireless, we need either using computer-only authentication or EAP-Chaining with AnyConnect NAM or the endpoints profiled and classified/grouped as domain-joined.

Re: Using ISE 2.3 for 802.1x on wireless - domain joined computers only

Craig Hyps — Fri, 15 Dec 2017 01:00:48 GMT

Is the issue that you are not sure where to go in Policy Sets to add condition? Or that the list of retrieved groups not displaying when you choose the AD ExternalGroups attribute under the Conditions Studio?

If former, then navigate to Policy Sets > (Policy_Set_To_Be_Configured) and click the right arrow at then end of the selected Policy Set. This will show the list of Authentication and Authorization Rules. Click on Authorization Policy line to show the rules. Similar to previous releases, click gear icon at end of a row to insert a rule, or else click the Conditions section to modify existing rule. Once in Condition Studio, select the specific AD dictionary. You can also click the group icon (4th in list) which include the AD:ExternalGroup attribute.

At this point, you should see option to select group from list. However, when I first tried this, the field was empty. I navigated to the Default Policy set and retried, but this time I was presented the list as shown below. Returning to new Policy Set, I again saw list. Not sure if timing issue, browser or defect. If able to replicate, then we should file bug with TAC. Here is what it should look like when working:

Getting back to your original goal of matching AD joined computers...If you are not performing 802.1X Machine Auth, then you cannot rely on matching the Domain Computers group in AD since the identity is not the machine, but the user, and the user is not a member of Domain Computers. Another simple way to achieve this with user auth is to use the AD Probe. Based on DHCP (or DNS reverse lookup), we fetch the hostname of endpoint and perform lookup to AD to determine if host exists in AD. You can then create a child profile to the Windows 7, 10 or other relevant profiles to match on this condition and set profile to "Corporate_WIndows7_Workstation". This works with MAB or 802.1X.

Regards,
Craig