topic Re: Cisco ISE Machine Authentication in Network Access Control

Cisco ISE Machine Authentication

techguy_cisco — Wed, 15 Jul 2020 10:16:06 GMT

Hi,

I'm working about windows machine authentication through ISE. I can see when windows supplicant is configured to use "Machine Authentication" it sends as "Radius-Username" its hostname and domain information. I only want to check if machine is inside my domain, It can be made making a rule that check if "Radius-Username" contains "my-domain-name", but I want to check if this computer is declared in Active Directory to avoid that someone could use a personal computer configuring manually the domain in the computer.

How can it be made?

Thank you very much.

Re: Cisco ISE Machine Authentication

Baconframe — Wed, 15 Jul 2020 11:10:06 GMT

A simple way to do this is to import the external group "Domain Computers" from the AD Identity Store.

Then you can just make sure that the supplicant is a member of this group:

Re: Cisco ISE Machine Authentication

techguy_cisco — Wed, 15 Jul 2020 12:37:20 GMT

Thank you Bejkonfrejm,

But I'm not sure about it if is wich I need. In the example that you've gave me, the authentication steps, will there be this ones?:

- ISE receives "Radius-Username" that ends with ".mydomain.com" (for example)

- Authentication is made through EAP-TLS

- ISE checks if this host "myhost.mydomain.com" belongs to AD group "xxxx/users/domain computers ¿?¿?¿?

Thank you very much.

Re: Cisco ISE Machine Authentication

Colby LeMaire — Wed, 15 Jul 2020 13:46:07 GMT

Authentication and authorization are separate things. With authentication, all ISE cares about is whether or not the device/user is truly who they say they are. This can be accomplished by checking a username/password combination (PEAP) or by checking for a valid certificate (EAP-TLS). With machine authentication on Windows computers, the machine will have a username and password that it presents to ISE for authentication. ISE verifies that with AD. Once authentication is successful, then ISE moves to the authorization policy.

For authorization, you can ensure that it was an actual computer that authenticated and that it wasn't a user account by checking membership in Domain Computers as the previous post recommended. This assures you that the device authenticating is a computer or at least its object is within the Domain Computer security group in AD.