https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584765#M529496 <HTML><HEAD></HEAD><BODY><P>Thanks Everyone,</P><P>I forgot that in the DOT1X config I could specify Computer and User, or just Computer.</P><P>I am going to try this first.</P><P>Thanks Jason &amp; Paul</P><P></P><P>-Ed</P></BODY></HTML> Tue, 23 May 2017 20:24:31 GMT ntwkdsnr123 2017-05-23T20:24:31Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584760#M529488 <HTML><HEAD></HEAD><BODY><P>Hi There,</P><P></P><P>I'm trying to set up a public type kiosk that will have restricted access to certain network resources.&nbsp; I have ISE 2.1 running and is currently integrated with Active Directory.&nbsp; The access is going to be determined via a DACL that will get downloaded to the Cisco switch interface that the kiosk is connected to.&nbsp; I am looking for a certain Organizational Unit in AD that the kiosk machine is a member of.</P><P></P><P>When the kiosk PC is booted up and authenticates via dot1x, the OU is matched and the DACL is applied to the interface.</P><P></P><P>At that point the installer or tech logs into AD with a generic login on the kiosk, ISE goes down through again in our authorization policies and matches the AD user for our domain and then applies another policy, and downloads one of our standard DACLs.</P><P></P><P>Is there a way to only use the defined machine that is in AD instead of the Machine then Domain User?&nbsp; Or a way to stop the process after the interface receives the correct DACL?</P><P></P><P>Thanks,</P><P>Ed</P></BODY></HTML> Tue, 23 May 2017 18:16:56 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584760#M529488 ntwkdsnr123 2017-05-23T18:16:56Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584761#M529490 <HTML><HEAD></HEAD><BODY><P>What about machine auth only and then do cwa portal</P><P></P><P>CWA chaining</P></BODY></HTML> Tue, 23 May 2017 18:25:59 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584761#M529490 Jason Kunst 2017-05-23T18:25:59Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584762#M529492 <HTML><HEAD></HEAD><BODY><P>As Jason said it sounds like you just want Computer Auth only and don't ever want the supplicant to transition to user auth.&nbsp; The default settings for Windows supplicant when enabled is Computer or User.&nbsp; Just go in a change the supplicant to Computer Only and you should be set.</P><P></P><P><IMG alt="Computer Auth.JPG" class="image-1 jive-image" src="/legacyfs/online/fusion/107775_Computer Auth.JPG" style="height: auto;" /></P></BODY></HTML> Tue, 23 May 2017 19:16:56 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584762#M529492 paul 2017-05-23T19:16:56Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584763#M529494 <HTML><HEAD></HEAD><BODY><P>if it possible for him to do the following:</P><P></P><P>On ISE:</P><P>AuthC: if domain pc, then use AD1</P><P>AuthZ: if domain pc, then permit-access with dACL</P><P></P><P>on PC: PEAP, Computer authentication</P></BODY></HTML> Tue, 23 May 2017 19:48:22 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584763#M529494 Ping Zhou 2017-05-23T19:48:22Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584764#M529495 <HTML><HEAD></HEAD><BODY><P>Yes but to be clear, because this is often a point of confusion with customers, you have the AuthC part wrong:</P><P></P><P>AuthC: Valid AD credentials (computer or user)</P><P></P><P>AuthZ: If member of Domain Computers and PEAP then permit access with dACL.</P><P></P><P>There is nothing other than valid AD credential checking happening in the AuthC phase. All the magic in ISE happens in Authz.</P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Tue, 23 May 2017 19:52:24 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584764#M529495 paul 2017-05-23T19:52:24Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584765#M529496 <HTML><HEAD></HEAD><BODY><P>Thanks Everyone,</P><P>I forgot that in the DOT1X config I could specify Computer and User, or just Computer.</P><P>I am going to try this first.</P><P>Thanks Jason &amp; Paul</P><P></P><P>-Ed</P></BODY></HTML> Tue, 23 May 2017 20:24:31 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584765#M529496 ntwkdsnr123 2017-05-23T20:24:31Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584766#M529497 <HTML><HEAD></HEAD><BODY><P>If you do computer only then you Will loose the ability to track user logins and audit trail</P><P></P><P>so you could chain with CWA </P></BODY></HTML> Tue, 23 May 2017 20:43:07 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584766#M529497 Jason Kunst 2017-05-23T20:43:07Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584767#M529498 <HTML><HEAD></HEAD><BODY><P>Hi Folks,</P><P></P><P>I set just computer authentication under the 802.1x setting on the Windows machine.&nbsp; Authentication is failing now.&nbsp; In ISE details I see a 5400 Authentication failed event and a 12511 Unexpectedly received TLS alert message from the client.</P><P></P><P>The resolution suggested has to do with trusting the ISE server certificate.</P><P></P><P>Am I on the right path here? Or can it be something else?</P><P></P><P>Thanks,</P><P>Ed</P></BODY></HTML> Wed, 24 May 2017 22:37:44 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584767#M529498 ntwkdsnr123 2017-05-24T22:37:44Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584768#M529499 <HTML><HEAD></HEAD><BODY><P>Ed,</P><P></P><P>Didn’t you say that computer authentication was working before?</P><P></P><P>Is this computer joined to the domain? Did you keep the setting at PEAP? What happens when you reboot and don’t login?</P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Wed, 24 May 2017 23:17:59 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584768#M529499 paul 2017-05-24T23:17:59Z https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584769#M529500 <HTML><HEAD></HEAD><BODY><P>When testing, can you try unchecking "validate server certificate " on your PEAP setting on the windows PC? So you can tell if it's Radius server cert issue?</P></BODY></HTML> Thu, 25 May 2017 00:56:54 GMT https://community.cisco.com/t5/network-access-control/ise-and-ad-question-when-the-host-machine-is-in-a-certain-ou/m-p/3584769#M529500 Ping Zhou 2017-05-25T00:56:54Z