https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991220#M541016 You can accomplish what you are looking for a few different ways. A couple of questions for you:<BR />Do you have ISE integrated with AD?<BR />Do you have an internal PKI?<BR />Are you planning on using the native supplicant?<BR />Some options include:<BR />Utilizing ISE policy to map to AD security groups to validate the comp object (host) exists. Deploying native supplicant configs via GPO to accomplish the use of machine auth via eap-tls &amp; certificate auto-enrollment if you wish. If using AnyConnect client as your supplicant you could also deploy ISE posture module to perform system checks to ensure the host is a member of the domain via registry check and other viable options. Note that you will probably wont to incorporate OCSP checks to verify that the internal machine certs are valid as well during the eap-tls session. HTH! Fri, 29 Nov 2019 17:00:30 GMT Mike.Cifelli 2019-11-29T17:00:30Z https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991171#M541004 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>In one of the requirements, we would like to restrict personal devices to access corporate networks over 802.1x wired or wireless using MSCHAP. We can add machine authentication on top of it.&nbsp;</P><P>&nbsp;</P><P>Can I simply use EAP-TLS to eliminate machine authentication? Only the devices having the certificate will be able to connect and no personal device would be able to login to the corporate network.&nbsp;</P><P>&nbsp;</P><P>I hope my logic is correct.</P><P>&nbsp;</P><P>Regards,</P><P>Munish Dhiman</P><P>&nbsp;</P> Fri, 29 Nov 2019 14:52:17 GMT https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991171#M541004 munish.dhiman1 2019-11-29T14:52:17Z https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991220#M541016 You can accomplish what you are looking for a few different ways. A couple of questions for you:<BR />Do you have ISE integrated with AD?<BR />Do you have an internal PKI?<BR />Are you planning on using the native supplicant?<BR />Some options include:<BR />Utilizing ISE policy to map to AD security groups to validate the comp object (host) exists. Deploying native supplicant configs via GPO to accomplish the use of machine auth via eap-tls &amp; certificate auto-enrollment if you wish. If using AnyConnect client as your supplicant you could also deploy ISE posture module to perform system checks to ensure the host is a member of the domain via registry check and other viable options. Note that you will probably wont to incorporate OCSP checks to verify that the internal machine certs are valid as well during the eap-tls session. HTH! Fri, 29 Nov 2019 17:00:30 GMT https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991220#M541016 Mike.Cifelli 2019-11-29T17:00:30Z https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991280#M541036 Hi Mike,<BR />Do you have ISE integrated with AD? Yes<BR />Do you have an internal PKI? Yes<BR />Are you planning on using the native supplicant? Anyconnect Posture module and VPN<BR /><BR />I like the posture registry check, would you suggest any configuration parameter? And does it work fine in production environments?<BR /><BR />Regards,<BR />MD<BR /> Fri, 29 Nov 2019 19:01:16 GMT https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991280#M541036 munish.dhiman1 2019-11-29T19:01:16Z https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991285#M541065 In regard to 8021x I assume you meant to include that you will run NAM as well. In my experience using the native supplicant is easier especially if just trying to accomplish comp authc via eap-tls. However, NAM introduces some additional capabilities such as eap-chaining. For the posture check I run several checks, but the one I mentioned is in production for all VPN access, and it works like a charm. My domain reg check condition looks like this:<BR />RegCheck_Domain<BR />Win10 ALL<BR />reg type = RegistryValue<BR />reg root key: HKLM<BR />sub key: SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\<BR />value name: MachineDomain<BR />datatype = string<BR />value operator EQUALS<BR />value data: &lt;YOURDomain&gt;<BR />I recommend utilizing AD sec group mapping in your authz conditions as well as another layer. HTH! Fri, 29 Nov 2019 19:21:46 GMT https://community.cisco.com/t5/network-access-control/need-of-checking-computer-is-part-of-domain/m-p/3991285#M541065 Mike.Cifelli 2019-11-29T19:21:46Z