https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429531#M536383 <HTML><HEAD></HEAD><BODY><DIV><P>Hi howon, </P><P>Thanks for your advice. </P><P>If the endpoint do machine authentication to domain controller, how it can be done without an IP address? </P><P>Have you try this before?</P></DIV></BODY></HTML> Wed, 25 Jan 2017 16:54:12 GMT Kevin Raditheo 2017-01-25T16:54:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429529#M536380 <HTML><HEAD></HEAD><BODY><DIV><P>Hi all, </P><P></P><P>I want to ask some questions. </P><P></P><P>Currently I'm using Cisco ISE for dynamic vlan assignment based on group on AD. </P><P></P><P>The problem I'm facing is, the user will only get IP address after they put username and password in dot1x supplicant. But sometimes, some user need to contact their domain controller for their windows login and this happens before the endpoint get an IP address. So the endpoint can't contact their DC. </P><P></P><P>Any suggestions for this case? </P><P></P><P>Thank you very much for your advice.</P></DIV></BODY></HTML> Wed, 25 Jan 2017 15:13:02 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429529#M536380 Kevin Raditheo 2017-01-25T15:13:02Z https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429530#M536381 <HTML><HEAD></HEAD><BODY><P>When user is not logged in, typically the Windows Supplicant is configured to do machine authentication. You will need to create a policy that allows AD 'Domain Computers' Group to have access to the Domain controllers to let the endpoints contact domain controllers.</P></BODY></HTML> Wed, 25 Jan 2017 16:01:01 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429530#M536381 howon 2017-01-25T16:01:01Z https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429531#M536383 <HTML><HEAD></HEAD><BODY><DIV><P>Hi howon, </P><P>Thanks for your advice. </P><P>If the endpoint do machine authentication to domain controller, how it can be done without an IP address? </P><P>Have you try this before?</P></DIV></BODY></HTML> Wed, 25 Jan 2017 16:54:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429531#M536383 Kevin Raditheo 2017-01-25T16:54:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429532#M536384 <HTML><HEAD></HEAD><BODY><P>Just like you authenticate AD user via 802.1x, you can authenticate AD joined machine (computer) to authenticate via 802.1x. It is configurable in the supplicant. Make sure it is set to 'User or Computer authentication' which is the default. Since this is 802.1x authentication it happens at OSI layer 2 without IP. See supplicant setting below on Windows:</P><P><IMG alt="Screen Shot 2017-01-25 at 11.05.01 AM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/104082_Screen Shot 2017-01-25 at 11.05.01 AM.png" style="height: 706px; width: 620px;" /></P></BODY></HTML> Wed, 25 Jan 2017 17:07:26 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429532#M536384 howon 2017-01-25T17:07:26Z https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429533#M536385 <HTML><HEAD></HEAD><BODY><DIV><P>Thank howon, </P><P>I think I get it. So the endpoint will authenticate with its machine name through ISE and ISE will query the AD just like user authentication, right? </P><P>So I will need a policy with a condition like, if the user is domain computer or something like that. </P><P>How about the policy result? Must I put default permit access or can I restrict the traffic with an ACL so it can only contact the DC but not anything else?</P></DIV></BODY></HTML> Wed, 25 Jan 2017 17:24:54 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429533#M536385 Kevin Raditheo 2017-01-25T17:24:54Z https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429534#M536386 <HTML><HEAD></HEAD><BODY><P>Yes, typically you would allow access to AD related IP only + DHCP &amp; DNS.</P></BODY></HTML> Wed, 25 Jan 2017 17:27:47 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-dynamic-vlan-with-microsoft-ad/m-p/3429534#M536386 howon 2017-01-25T17:27:47Z