topic Re: how to block non-computer join domain with cisco ISE ? in Network Access Control

how to block non-computer join domain with cisco ISE ?

bunleang — Thu, 10 Feb 2022 06:57:16 GMT

Hi team,

anyone can share how to block non-computer join to domain with cisco ISE ? Does it possible to block non-computer join to domain or not with cisco ISE ?

Thank in advance for your help

Re: how to block non-computer join domain with cisco ISE ?

Rob Ingram — Thu, 10 Feb 2022 07:48:40 GMT

Hi @bunleang there are several options:

- You could issue a computer certificate to the domain joined computer, computers without this certificate will fail to authenticate.

- You could use EAP-TEAP (if your Windows 10 devices support it) which combines computer and user authentication (PEAP/MSCHAPv2 or TLS), if a non-domain joined computers fails both they will not be connected to the network.

- You could use a custom profile using the AD Probe to determine whether the computer attempting to connect to the network is joined to the domain, this is the least preferred option.

Re: how to block non-computer join domain with cisco ISE ?

bunleang — Thu, 10 Feb 2022 07:50:02 GMT

Could you share with me the way to block with option AD probe to block non-computer join domain ?

You could use AD Probe to determine whether the computer attempting to connect to the network is joined to the domain, this is the least preferred option.

Re: how to block non-computer join domain with cisco ISE ?

Rob Ingram — Thu, 10 Feb 2022 08:20:46 GMT

@bunleang here is the Cisco guide.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200553-Configure-ISE-2-1-Profiling-Services-bas.pdf

You essentially create an AD Probe to query the AD domain, a computer that is AD joined MAC address is added to an Identity Group. You use this Identity Group in the ISE AuthZ policy, any device not matching can be denied.

Re: how to block non-computer join domain with cisco ISE ?

Mike.Cifelli — Thu, 10 Feb 2022 12:40:14 GMT

Totally agree with @Rob Ingram options. Sharing another option available and that is ISE posturing. You could perform posture assessment against clients to determine if AD joined assets. The posture solution is a bit complex, but really valuable: ISE Posture Prescriptive Deployment Guide - Cisco Community

The example I am thinking of would be a registry check via posture assessment:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
type: STRING - MachineDomain EQUALS <domain value>

HTH!

Re: how to block non-computer join domain with cisco ISE ?

Cisco-User500 — Wed, 16 Feb 2022 03:11:31 GMT

If the computer is running Windows 10, why not use TEAP and use both machine and user authentication. If the machine is not part of the AD, it will fail authentication.

Re: how to block non-computer join domain with cisco ISE ?

Massimo Baschieri — Wed, 16 Feb 2022 05:24:30 GMT

I take the chance to launch a provocation.....isn't TLS alone a quite good warranty that the login comes from a domain host?

If I avoid manual certificate installation how can a user certificate be installed on a non domain computer?

Re: how to block non-computer join domain with cisco ISE ?

jamesbos96602 — Sat, 19 Feb 2022 18:10:32 GMT

u cant join a domin unless the person is part of doman admin grope

it will ask for domain admin name and password

so it not possable to join

but u can also set gpo to make shure it only apply to domain members and block all others