<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Machine and User Auth wireless? in Network Access Control</title>
    <link>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522905#M571908</link>
    <description>&lt;P&gt;Hello&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/181608"&gt;@bhartsfield&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;If EAP-TEAP or NAM is not an option then perhaps there is another way:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1) If the corporate machines are domain joined, then you could use Group Policy to push a machine cert to the AD joined devices, and push a profile that connects to the corp SSID using that cert. On the ISE Wireless 802.1X Policy Set, create a new "Allowed Protocols" where only EAP-TLS is ticked. That will ensure that corp devices MUST use certificates to connect - clients who don't have certs won't have a chance on the corp SSID.&lt;/P&gt;
&lt;P&gt;2) Allow EAP-PEAP, but check whether the user is a member of Domain Computers in the Authorization. Only domain joined computers will be members. Regular users will fail that check on the corp SSID.&lt;/P&gt;
&lt;P&gt;3) Create a separate SSID for employees to connect to, using their AD creds. Apply the VLAN/ACL as required.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 22 Dec 2021 21:01:11 GMT</pubDate>
    <dc:creator>Arne Bier</dc:creator>
    <dc:date>2021-12-22T21:01:11Z</dc:date>
    <item>
      <title>Machine and User Auth wireless?</title>
      <link>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522466#M571897</link>
      <description>&lt;P&gt;I have a request on an ISE 3.0 setup to use AD authentication on wireless 802.1x (5520 WLC) to specicify specific ACLs but also only allow access from corporate machines so a user can't pull up their ipad and enter in their AD credentials.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;From my research it seems this is only possible if use the anyconnect NAM which we would prefer not to do.&lt;BR /&gt;&lt;BR /&gt;So are there any options to do Cert machine Auth AND then user AD auth to for ACL application using ISE 3.0?&lt;/P&gt;</description>
      <pubDate>Wed, 22 Dec 2021 03:51:19 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522466#M571897</guid>
      <dc:creator>bhartsfield</dc:creator>
      <dc:date>2021-12-22T03:51:19Z</dc:date>
    </item>
    <item>
      <title>Re: Machine and User Auth wireless?</title>
      <link>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522623#M571902</link>
      <description>&lt;P&gt;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/181608"&gt;@bhartsfield&lt;/a&gt;&lt;/P&gt;
&lt;P&gt;You can do combine machine and user authentication using the relatively new TEAP protocol, assuming your computers are using Window 10 build 2004.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Reference:- &lt;A href="https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289" target="_blank"&gt;https://community.cisco.com/t5/security-documents/teap-for-windows-10-using-group-policy-and-ise-teap/ta-p/4134289&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 22 Dec 2021 10:49:06 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522623#M571902</guid>
      <dc:creator>Rob Ingram</dc:creator>
      <dc:date>2021-12-22T10:49:06Z</dc:date>
    </item>
    <item>
      <title>Re: Machine and User Auth wireless?</title>
      <link>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522905#M571908</link>
      <description>&lt;P&gt;Hello&amp;nbsp;&lt;a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/181608"&gt;@bhartsfield&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;If EAP-TEAP or NAM is not an option then perhaps there is another way:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1) If the corporate machines are domain joined, then you could use Group Policy to push a machine cert to the AD joined devices, and push a profile that connects to the corp SSID using that cert. On the ISE Wireless 802.1X Policy Set, create a new "Allowed Protocols" where only EAP-TLS is ticked. That will ensure that corp devices MUST use certificates to connect - clients who don't have certs won't have a chance on the corp SSID.&lt;/P&gt;
&lt;P&gt;2) Allow EAP-PEAP, but check whether the user is a member of Domain Computers in the Authorization. Only domain joined computers will be members. Regular users will fail that check on the corp SSID.&lt;/P&gt;
&lt;P&gt;3) Create a separate SSID for employees to connect to, using their AD creds. Apply the VLAN/ACL as required.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 22 Dec 2021 21:01:11 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-access-control/machine-and-user-auth-wireless/m-p/4522905#M571908</guid>
      <dc:creator>Arne Bier</dc:creator>
      <dc:date>2021-12-22T21:01:11Z</dc:date>
    </item>
  </channel>
</rss>

