https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4433516#M568475 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1223492">@Anil Ku</a>&nbsp;,</P><P>&nbsp;</P><P>Do you have any challenges in case we have many branches. so, you need to separate build area for each branches?</P><P>other thing, we need to bring that workstation from user placed to that build area. to do that it required alot of time and will delay for fixing issue. example: sometime not for new workstation need to join domain, it can be exiting that have problem with domain not sycn or need to re-join.</P><P>&nbsp;</P><P>Cisco should have good solution for this.</P><P>&nbsp;</P><P>Any other advise based on above concern. Thank you so much.</P> Thu, 15 Jul 2021 04:25:52 GMT Sina Dy 2021-07-15T04:25:52Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394155#M566899 <P>Hello Team,</P><P>I have Cisco ISE 2.4.. 802.1x with domain authentication is working perfectly..</P><P>&nbsp;</P><P>when i am adding any new laptop to domain.. I am not able to do that in secure port.. means port where 802.1x is already configured..</P><P>&nbsp;</P><P>in non secure port, I am able to build new laptop and add it into the domain..</P><P>&nbsp;</P><P>Any idea, what should i do here..</P><P>&nbsp;</P><P>Best Regards</P><P>Anil Singh</P> Tue, 27 Apr 2021 16:01:12 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394155#M566899 anilkumar.cisco 2021-04-27T16:01:12Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394160#M566900 <P>In most cases that will be in the Build stage and Build area,&nbsp; the ports can be unauthenticated, so you know these are used for building new devices and join them to Domain.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Apr 2021 16:09:31 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394160#M566900 balaji.bandi 2021-04-27T16:09:31Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394401#M566911 <P>Any alternative to this..</P><P>&nbsp;</P><P>Shall i allow AD IP in pre-auth ACL.. after this things started working.. but seems some security issue..</P><P>&nbsp;</P><P>Also, if i will create an White-list MAC address on the ISE then.. the extra burden will come ISE Admin.</P><P>&nbsp;</P><P>the problem is , The customer is challenging that the same thing was working perfectly on some old site.. which is decommision now..</P><P>&nbsp;</P><P>Is it possible.. i can will add computer Certificate + USer certificate manually to the PC which i am building and then&nbsp; add it domain via dot1x policy...</P><P>&nbsp;</P><P>Best Regards</P><P>Anil Singh</P> Tue, 27 Apr 2021 23:21:04 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394401#M566911 anilkumar.cisco 2021-04-27T23:21:04Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394458#M566913 <P>This is a common issue due to the way Windows builds work. See a similar discussion with some options in this post.</P> <P><A href="https://community.cisco.com/t5/network-access-control/pc-imaging-on-nac-secured-ports/td-p/3486098" target="_blank" rel="noopener">PC Imaging on NAC secured ports</A>&nbsp;</P> Wed, 28 Apr 2021 02:30:04 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394458#M566913 Greg Gibbs 2021-04-28T02:30:04Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394884#M566942 <P>I am confuse now..</P><P>after changing the switch side configuration order from mab dotx to dot1x mab.. the device of work group started authenticated via dot1x..</P><P>&nbsp;</P><P>is it because the workgroup device is already have certificate installed on it that's why....</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Apr 2021 15:49:02 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4394884#M566942 anilkumar.cisco 2021-04-28T15:49:02Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4432910#M568449 <P>Hi, I have the same case. Any suggestion for that compatible solution?&nbsp;</P><P>&nbsp;</P><P><STRONG>Note: we're ISE administrator, for&nbsp; our current when have new PC that need to join domain we help whitelist from ISE dashboard or exclude the switch port without apply low impact mode then Desktop Support team can perform join domain and install software from their checklist. and after they completed we remove from whitelist. but this is required alot teams for help and also workload and low productivity. example sometime Desktop Support team need to fix issue or re-join domain immediately&nbsp;but they need to contact ISE administrator&nbsp;or network team to do whitelist or exclusive switch port.</STRONG></P><P><STRONG>And our environment&nbsp;before apply ISE, Desktop Support team can join or re-join domain at user place.</STRONG></P><P>&nbsp;</P><P>Thank you so much for advise.</P> Wed, 14 Jul 2021 09:46:13 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4432910#M568449 Sina Dy 2021-07-14T09:46:13Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4432994#M568451 <P>Hello Sina,</P><P>&nbsp;</P><P>the solution is already provided by&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a>&nbsp;..</P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/network-access-control/pc-imaging-on-nac-secured-ports/td-p/3486098" target="_blank">Solved: PC Imaging on NAC secured ports - Cisco Community</A></P><P>&nbsp;</P><P>we have to choose from the options..</P><P>&nbsp;</P><P>I have chosen option 1</P><P>i.e.&nbsp;</P><P><SPAN>Provide a separate build area that does not have NAC enabled but requires physical security to access</SPAN></P><P>&nbsp;</P> Wed, 14 Jul 2021 12:09:52 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4432994#M568451 Anil Ku 2021-07-14T12:09:52Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4433516#M568475 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1223492">@Anil Ku</a>&nbsp;,</P><P>&nbsp;</P><P>Do you have any challenges in case we have many branches. so, you need to separate build area for each branches?</P><P>other thing, we need to bring that workstation from user placed to that build area. to do that it required alot of time and will delay for fixing issue. example: sometime not for new workstation need to join domain, it can be exiting that have problem with domain not sycn or need to re-join.</P><P>&nbsp;</P><P>Cisco should have good solution for this.</P><P>&nbsp;</P><P>Any other advise based on above concern. Thank you so much.</P> Thu, 15 Jul 2021 04:25:52 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4433516#M568475 Sina Dy 2021-07-15T04:25:52Z https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4436647#M568587 <P>what i know.. I have already shared with you.. Best check with your Cisco Account Management team.</P> Wed, 21 Jul 2021 13:05:32 GMT https://community.cisco.com/t5/network-access-control/workgroup-pc-need-to-add-on-domain-in-secure-port/m-p/4436647#M568587 anilkumar.cisco 2021-07-21T13:05:32Z