topic Re: ISE 2.3 || ISE-PIC with Domain Computers in Network Access Control https://community.cisco.com/t5/network-access-control/ise-2-3-ise-pic-with-domain-computers/m-p/3603214#M521325 <HTML><HEAD></HEAD><BODY><P>Passive ID validates user login events.&nbsp; If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert.&nbsp; Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.</P><P></P><P>Craig</P></BODY></HTML> Tue, 26 Sep 2017 11:07:17 GMT Craig Hyps 2017-09-26T11:07:17Z ISE 2.3 || ISE-PIC with Domain Computers https://community.cisco.com/t5/network-access-control/ise-2-3-ise-pic-with-domain-computers/m-p/3603213#M521324 <HTML><HEAD></HEAD><BODY><P>Hi Team,</P><P></P><P>My Customer is asking the following use-case <SPAN style="font-size: 10pt;">based on AD group and passive ID</SPAN><SPAN style="font-size: 10pt;">:</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Deny policy for the PC without Domain.</SPAN></P><P><SPAN style="font-size: 10pt;">Permit policy for Domain User and Computer.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">My understanding is that we don't support the Domain Computers in PassiveID... is that correct?</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">Please advise.<BR /></SPAN></P></BODY></HTML> Tue, 26 Sep 2017 09:00:35 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-ise-pic-with-domain-computers/m-p/3603213#M521324 musultan 2017-09-26T09:00:35Z Re: ISE 2.3 || ISE-PIC with Domain Computers https://community.cisco.com/t5/network-access-control/ise-2-3-ise-pic-with-domain-computers/m-p/3603214#M521325 <HTML><HEAD></HEAD><BODY><P>Passive ID validates user login events.&nbsp; If customer wishes to validate PC is member of domain, then recommend machine auth via 802.1X PEAP or EAP-TLS with machine cert.&nbsp; Another method to validate AD membership (albeit not as secure as 802.1X) is to use AD Probe from Profiler which can efficiently determine AD membership based on hostname (learned from DNS, DHCP, or prior machine auth), or NMAP probe with SMB discovery option enabled.</P><P></P><P>Craig</P></BODY></HTML> Tue, 26 Sep 2017 11:07:17 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-ise-pic-with-domain-computers/m-p/3603214#M521325 Craig Hyps 2017-09-26T11:07:17Z